Feeling Lucky
Composer Dependency Changed
bug
PR-5.4-dev
[#47529] - [5.4] Composer update phpseclib/phpseclib to 3.0.50 to fix one high severity security vulnerability
- Fixed in Code Base
- 2 Apr 2026
- Medium
- Build: 5.4-dev
- # 47529
- Diff
- richard67:5.4-dev-composer-audit-fix-2026-04-01
User tests: Successful: Unsuccessful:
Pull Request resolves # .
- I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.
Summary of Changes
This pull request (PR) updates the composer dependency "phpseclib/phpseclib" from version 3.0.46 to version 3.0.50 to fix one high severity security vulnerability reported by composer audit.
Release notes:
- https://github.com/phpseclib/phpseclib/releases/tag/3.0.47
- https://github.com/phpseclib/phpseclib/releases/tag/3.0.48
- https://github.com/phpseclib/phpseclib/releases/tag/3.0.49
- https://github.com/phpseclib/phpseclib/releases/tag/3.0.50
All changes: phpseclib/phpseclib@3.0.46...3.0.50
Testing Instructions
- Run
composer installand thencomposer audit. - Verify that there are no breaking changes done with this update by checking the release information listed above in the summary of changes.
Actual result BEFORE applying this Pull Request
- Composer audit
Found 2 security vulnerability advisories affecting 2 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package | phpseclib/phpseclib |
| Severity | high |
| Advisory ID | PKSA-km2b-zc3b-mjm3 |
| CVE | CVE-2026-32935 |
| Title | phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack |
| URL | https://github.com/advisories/GHSA-94g3-g5v7-q4jg |
| Affected versions | <=1.0.26|>=2.0.0,<=2.0.51|>=3.0.0,<=3.0.49 |
| Reported at | 2026-03-19T16:42:18+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| Advisory ID | PKSA-3mms-4n3p-ym65 |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
- Not applicable.
Expected result AFTER applying this Pull Request
- Composer audit
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| Advisory ID | PKSA-3mms-4n3p-ym65 |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
- No breaking changes.
Link to documentations
Please select:
-
Documentation link for guide.joomla.org:
-
No documentation changes for guide.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | External Library Composer Change |
muhme
- comment
- 2 Apr 2026
✅ Final code review and test before merge with local git clone
- Checked file changes, only
composer.lockis changed and there onlyphpseclib/phpseclib - Tested before PR composer audit shows
phpseclib/phpseclibvulnerability - Applied PR with
gh pr checkout 47529and runningcomposer i composer auditshows only the oneweb-auth/webauthn-libvulnerability as expected
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2026-04-02 05:31:59 |
| Closed_By | ⇒ | muhme | |
| Labels |
Added:
Composer Dependency Changed
bug
PR-5.4-dev
|
||
muhme
- comment
- 2 Apr 2026
Thank you very much @richard67 for your contribution. Thanks to @brianteeman for testing.
I have tested this item ✅ successfully on 95b6a5c
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47529.