Feeling Lucky
RTC
NPM Resource Changed
bug
PR-6.1-dev
[#47620] - [6.1] Composer update phpseclib/phpseclib to 3.0.51 to fix one low and one high severity security vulnerability
- Ready to Commit
- Medium
- Build: 6.1-dev
- # 47620
- Diff
- richard67:6.1-dev-composer-audit-fix-2026-04-18
User tests: Successful: Unsuccessful:
Pull Request resolves # .
- I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.
Summary of Changes
This pull request (PR) updates the composer dependency "phpseclib/phpseclib" from version 3.0.49 to version 3.0.51 to fix one low and one high severity security vulnerability reported by composer audit.
Release notes:
- https://github.com/phpseclib/phpseclib/releases/tag/3.0.50
- https://github.com/phpseclib/phpseclib/releases/tag/3.0.51
All changes: phpseclib/phpseclib@3.0.49...3.0.51
Testing Instructions
- Run
composer installand thencomposer audit. - Verify that there are no breaking changes done with this update by checking the release information listed above in the summary of changes.
Actual result BEFORE applying this Pull Request
- Composer audit
Found 1 ignored security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| Advisory ID | PKSA-3mms-4n3p-ym65 |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
| Ignore reason | Temporary until Webauthn plugin has been updated. |
+-------------------+----------------------------------------------------------------------------------+
Found 2 security vulnerability advisories affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | phpseclib/phpseclib |
| Severity | low |
| Advisory ID | PKSA-zh4j-by9m-7mz8 |
| CVE | CVE-2026-40194 |
| Title | phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using |
| | != instead of hash_equals() |
| URL | https://github.com/advisories/GHSA-r854-jrxh-36qx |
| Affected versions | >=3.0.0,<3.0.51|>=2.0.0,<2.0.53|<1.0.28 |
| Reported at | 2026-04-10T20:58:10+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpseclib/phpseclib |
| Severity | high |
| Advisory ID | PKSA-km2b-zc3b-mjm3 |
| CVE | CVE-2026-32935 |
| Title | phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack |
| URL | https://github.com/advisories/GHSA-94g3-g5v7-q4jg |
| Affected versions | <=1.0.26|>=2.0.0,<=2.0.51|>=3.0.0,<=3.0.49 |
| Reported at | 2026-03-19T16:42:18+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
- Not applicable.
Expected result AFTER applying this Pull Request
- Composer audit
Found 1 ignored security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| Advisory ID | PKSA-3mms-4n3p-ym65 |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
| Ignore reason | Temporary until Webauthn plugin has been updated. |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
- No breaking changes.
Link to documentations
Please select:
-
Documentation link for guide.joomla.org:
-
No documentation changes for guide.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | External Library Composer Change |
adarshdubey03
- comment
- 18 Apr 2026
I have tested this item ✅ successfully on 04db11c
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47620.
| Status | Pending | ⇒ | Ready to Commit |
| Labels |
Added:
NPM Resource Changed
bug
PR-6.1-dev
|
||
richard67
- comment
- 18 Apr 2026
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47620.
| Labels |
Added:
RTC
|
||
I have tested this item ✅ successfully on 04db11c
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47620.