GHSA-2p6g-gjp8-ggg9: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-2p6g-gjp8-ggg9) was discovered in personnummer/php package, affecting versions prior to 3.0.2. This security issue, reported in June 2020 and published on September 4, 2020, involves improper input validation in the Swedish social security number validation library. The vulnerability was classified as low severity and impacts the validation of personnummer's last four digits (GitHub Advisory).

The vulnerability stems from a regular expression implementation that incorrectly allowed the first three digits in the last four digits of the personnummer to be '000', which is invalid according to Swedish social security number rules. The issue was present in the validation logic of the library, specifically in the regex pattern that validates the structure of personnummer (GitHub Commit).

The vulnerability affects users who rely on the validation of the last four digits of personnummer to be accurate. It could potentially allow invalid personnummer numbers to be accepted as valid, which might impact systems that depend on strict validation of Swedish social security numbers (GitHub Advisory).

The issue has been patched in version 3.0.2 of the PHP package. For users unable to upgrade immediately, a workaround involves implementing an additional check on the last four digits to ensure they're not '000x'. The fix involved updating the regular expression pattern to explicitly exclude the invalid pattern using a negative lookahead assertion (GitHub Advisory, GitHub Commit).