Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#47619] - [5.4] Composer update phpseclib/phpseclib to 3.0.51 to fix one low severity security vulnerability

RTC Composer Dependency Changed bug PR-5.4-dev Pending

User tests: Successful: Unsuccessful:

avatar richard67
richard67
18 Apr 2026

Pull Request resolves # .

  • I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

This pull request (PR) updates the composer dependency "phpseclib/phpseclib" from version 3.0.50 to version 3.0.51 to fix one low severity security vulnerability reported by composer audit.

Release notes: https://github.com/phpseclib/phpseclib/releases/tag/3.0.51

Testing Instructions

  1. Run composer install and then composer audit.
  2. Verify that there are no breaking changes done with this update by checking the release information listed above in the summary of changes.

Actual result BEFORE applying this Pull Request

  1. Composer audit
Found 2 security vulnerability advisories affecting 2 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package           | phpseclib/phpseclib                                                              |
| Severity          | low                                                                              |
| Advisory ID       | PKSA-zh4j-by9m-7mz8                                                              |
| CVE               | CVE-2026-40194                                                                   |
| Title             | phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using |
|                   | != instead of hash_equals()                                                      |
| URL               | https://github.com/advisories/GHSA-r854-jrxh-36qx                                |
| Affected versions | >=3.0.0,<3.0.51|>=2.0.0,<2.0.53|<1.0.28                                          |
| Reported at       | 2026-04-10T20:58:10+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | web-auth/webauthn-lib                                                            |
| Severity          | medium                                                                           |
| Advisory ID       | PKSA-3mms-4n3p-ym65                                                              |
| CVE               | CVE-2024-39912                                                                   |
| Title             | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames  |
| URL               | https://github.com/advisories/GHSA-875x-g8p7-5w27                                |
| Affected versions | >=4.5.0,<4.9.0                                                                   |
| Reported at       | 2024-07-15T16:37:49+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package         | Suggested Replacement                                                            |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib                                                            |
+---------------------------+----------------------------------------------------------------------------------+
  1. Not applicable.

Expected result AFTER applying this Pull Request

  1. Composer audit
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | web-auth/webauthn-lib                                                            |
| Severity          | medium                                                                           |
| Advisory ID       | PKSA-3mms-4n3p-ym65                                                              |
| CVE               | CVE-2024-39912                                                                   |
| Title             | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames  |
| URL               | https://github.com/advisories/GHSA-875x-g8p7-5w27                                |
| Affected versions | >=4.5.0,<4.9.0                                                                   |
| Reported at       | 2024-07-15T16:37:49+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package         | Suggested Replacement                                                            |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib                                                            |
+---------------------------+----------------------------------------------------------------------------------+
  1. No breaking changes.

Link to documentations

Please select:

  • Documentation link for guide.joomla.org:

  • No documentation changes for guide.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar richard67 richard67 - open - 18 Apr 2026
avatar richard67 richard67 - change - 18 Apr 2026
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 18 Apr 2026
Category External Library Composer Change
avatar richard67 richard67 - change - 18 Apr 2026
The description was changed
avatar richard67 richard67 - edited - 18 Apr 2026
avatar brianteeman brianteeman - test_item - 18 Apr 2026 - Tested successfully
avatar brianteeman
brianteeman - comment - 18 Apr 2026

I have tested this item ✅ successfully on 586eb0e

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47619.

avatar krishnagandhicode krishnagandhicode - test_item - 18 Apr 2026 - Tested successfully
avatar krishnagandhicode
krishnagandhicode - comment - 18 Apr 2026

I have tested this item ✅ successfully on 586eb0e

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47619.

avatar richard67 richard67 - change - 18 Apr 2026
Status Pending Ready to Commit
Labels Added: NPM Resource Changed bug PR-5.4-dev
avatar richard67
richard67 - comment - 18 Apr 2026

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47619.

avatar muhme muhme - change - 19 Apr 2026
Labels Added: RTC
avatar muhme muhme - change - 19 Apr 2026
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2026-04-19 05:38:53
Closed_By muhme
Labels Added: Composer Dependency Changed
Removed: NPM Resource Changed
avatar muhme muhme - close - 19 Apr 2026
avatar muhme muhme - merge - 19 Apr 2026
avatar muhme
muhme - comment - 19 Apr 2026

Thank you very much @richard67 for your contribution. Thanks to @brianteeman and @krishnagandhicode for testing.

Add a Comment

Login with GitHub to post a comment