CVE-2025-21617: 
PHP vulnerability analysis and mitigation

Guzzle OAuth Subscriber, which signs Guzzle requests using OAuth 1.0, contained a security vulnerability prior to version 0.8.1. The vulnerability was discovered on January 6, 2025, and was assigned CVE-2025-21617. The issue affects all versions before 0.8.1 of the guzzlehttp/oauth-subscriber package (GitHub Advisory).

The vulnerability stems from insufficient entropy in nonce generation and the lack of a cryptographically secure pseudorandom source in the OAuth implementation. The affected code was located in the generateNonce function, which used sha1 and uniqid functions that don't provide sufficient randomness (GitHub Source). The issue has been assigned a CVSS v4.0 Base Score of 6.3 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N (NVD).

When TLS is not used, this vulnerability can leave servers susceptible to replay attacks. The insufficient entropy in nonce generation makes it possible for attackers to predict or reproduce nonce values, potentially compromising the security of OAuth authentication (GitHub Advisory).

The vulnerability has been fixed in version 0.8.1 by implementing a cryptographically secure random number generator using the random_bytes function. Users are advised to upgrade to version 0.8.1 or higher. No workarounds are available for this vulnerability (GitHub Advisory, GitHub Commit).