Feeling Lucky
Composer Dependency Changed
bug
PR-5.4-dev
[#47737] - [5.4] Composer update phpseclib/phpseclib to 3.0.52 to fix one high severity security vulnerability
- Pending
- Medium
- Build: 5.4-dev
- # 47737
- Diff
- richard67:5.4-dev-composer-audit-fix-2026-05-06
- Pending continuous-integration/drone/pr Build is running Details
User tests: Successful: Unsuccessful:
Pull Request resolves # .
- I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.
Summary of Changes
This pull request (PR) updates the composer dependency "phpseclib/phpseclib" from version 3.0.51 to version 3.0.52 to fix one high severity security vulnerability reported by composer audit.
Release notes: https://github.com/phpseclib/phpseclib/releases/tag/3.0.52
Testing Instructions
- Run
composer installand thencomposer audit. - Verify that there are no breaking changes done with this update by checking the release information listed above in the summary of changes.
Actual result BEFORE applying this Pull Request
- Composer audit
Found 2 security vulnerability advisories affecting 2 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package | phpseclib/phpseclib |
| Severity | high |
| Advisory ID | PKSA-smrh-yx37-92ws |
| CVE | CVE-2026-44167 |
| Title | phpseclib has a CVE-2024-27355 mitigation bypass — OID amplification DoS in |
| | ASN1::decodeOID() |
| URL | https://github.com/advisories/GHSA-3qpq-r242-jqj7 |
| Affected versions | >=3.0.0,<=3.0.51|>=2.0.0,<=2.0.53|>=0.0.11,<=1.0.28 |
| Reported at | 2026-05-05T21:17:57+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| Advisory ID | PKSA-3mms-4n3p-ym65 |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
- Not applicable.
Expected result AFTER applying this Pull Request
- Composer audit
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| Advisory ID | PKSA-3mms-4n3p-ym65 |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
- No breaking changes.
Link to documentations
Please select:
-
Documentation link for guide.joomla.org:
-
No documentation changes for guide.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | External Library Composer Change |
| Labels |
Added:
Composer Dependency Changed
bug
PR-5.4-dev
|
||
adarshdubey03
- comment
- 7 May 2026
I have tested this item ✅ successfully on 01adf73
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47737.
I have tested this item ✅ successfully on 01adf73
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47737.