{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/otphp--11.4.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["otphp \u003c 11.4.3"],"_cs_severities":["medium"],"_cs_tags":["php","denial-of-service","vulnerability","ghsa"],"_cs_type":"advisory","_cs_vendors":["Spomky-Labs"],"content_html":"\u003cp\u003eThe \u003ccode\u003espomky-labs/otphp\u003c/code\u003e library, versions prior to 11.4.3, is affected by a high-severity denial-of-service vulnerability (GHSA-g7m4-839x-ch6v) concerning its handling of OTP provisioning URIs. This vulnerability, disclosed in June 2026, arises when the \u003ccode\u003edigits\u003c/code\u003e parameter within an \u003ccode\u003eotpauth\u003c/code\u003e URI is provided with an excessively large value (typically 40 or greater). The library's internal validation for this parameter only checks for a lower bound, lacking an upper bound. During OTP generation or verification, the calculation \u003ccode\u003e10 ** digits\u003c/code\u003e overflows PHP's integer capacity on 64-bit systems, resulting in an implicit cast to \u003ccode\u003e0\u003c/code\u003e. A subsequent modulo operation with this zero value triggers a \u003ccode\u003eDivisionByZeroError\u003c/code\u003e. Critically, this error extends PHP's \u003ccode\u003eError\u003c/code\u003e class rather than \u003ccode\u003eException\u003c/code\u003e, meaning it bypasses typical \u003ccode\u003etry-catch (\\Exception)\u003c/code\u003e blocks, leading to unhandled fatal errors and effectively causing a denial of service for any application component attempting to process the malformed OTP object.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003eotpauth\u003c/code\u003e provisioning URI containing an unusually large \u003ccode\u003edigits\u003c/code\u003e parameter, for example, \u003ccode\u003eotpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP\u0026amp;digits=50\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA vulnerable PHP application, utilizing \u003ccode\u003espomky-labs/otphp\u003c/code\u003e (versions prior to 11.4.3), processes this URI, for instance, by calling \u003ccode\u003eOTPHP\\Factory::loadFromProvisioningUri()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eloadFromProvisioningUri()\u003c/code\u003e function internalizes the attacker-controlled \u003ccode\u003edigits\u003c/code\u003e parameter, which bypasses validation due to the lack of an upper bound check.\u003c/li\u003e\n\u003cli\u003eLater, the application attempts to generate or verify an OTP by invoking methods like \u003ccode\u003eat()\u003c/code\u003e, \u003ccode\u003enow()\u003c/code\u003e, or \u003ccode\u003everify()\u003c/code\u003e on the \u003ccode\u003eOTPHP\\OTP\u003c/code\u003e object created from the malicious URI.\u003c/li\u003e\n\u003cli\u003eDuring the OTP calculation within \u003ccode\u003esrc/OTP.php:283\u003c/code\u003e, the expression \u003ccode\u003e10 ** $this-\u0026gt;getDigits()\u003c/code\u003e is evaluated using the excessively large \u003ccode\u003edigits\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eOn 64-bit PHP 8.x, for \u003ccode\u003edigits\u003c/code\u003e values around 40 or higher, the exponentiation \u003ccode\u003e10 ** digits\u003c/code\u003e results in an integer overflow, causing PHP to implicitly cast the result to \u003ccode\u003e0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA subsequent modulo operation, \u003ccode\u003e($code % 0)\u003c/code\u003e, attempts to divide by zero, which triggers a \u003ccode\u003eDivisionByZeroError\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAs \u003ccode\u003eDivisionByZeroError\u003c/code\u003e is a PHP \u003ccode\u003eError\u003c/code\u003e (not an \u003ccode\u003eException\u003c/code\u003e), it typically bypasses standard error handling, leading to an unhandled fatal error and causing a denial of service for the affected application component.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability can lead to an application-level denial of service. When an application attempts to process a maliciously crafted \u003ccode\u003eotpauth\u003c/code\u003e URI, the internal \u003ccode\u003eDivisionByZeroError\u003c/code\u003e leads to an unhandled fatal error, effectively crashing the OTP generation or verification process. This means that users might be unable to log in, perform multi-factor authentication, or complete any transaction relying on OTPs, rendering the affected service partially or fully unavailable. While no specific victim counts are provided, any PHP application utilizing the vulnerable \u003ccode\u003espomky-labs/otphp\u003c/code\u003e library for OTP functionality could be impacted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003espomky-labs/otphp\u003c/code\u003e library to version 11.4.3 or newer immediately to mitigate the vulnerability (GHSA-g7m4-839x-ch6v).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect GHSA-g7m4-839x-ch6v OTPHPH Vulnerability Exploitation Attempt\u0026quot; to your web application firewall (WAF) or intrusion detection system (IDS) to block web requests containing suspicious \u003ccode\u003eotpauth\u003c/code\u003e URIs with large \u003ccode\u003edigits\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026quot;Detect Potential OTP Application Denial of Service (HTTP 5xx Response)\u0026quot; and tune it for high-volume HTTP 5xx responses on OTP-related endpoints as a general indicator of potential DoS.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive application logging for PHP errors and monitor for \u003ccode\u003eDivisionByZeroError\u003c/code\u003e messages, particularly those originating from \u003ccode\u003espomky-labs/otphp\u003c/code\u003e components.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T20:54:10Z","date_published":"2026-06-18T20:54:10Z","id":"https://feed.craftedsignal.io/briefs/2026-06-otphp-divisionbyzero/","summary":"The spomky-labs/otphp library is vulnerable to a denial of service (GHSA-g7m4-839x-ch6v) where an unbounded 'digits' parameter in an otpauth provisioning URI causes a DivisionByZeroError, leading to unhandled fatal errors in applications trying to generate or verify OTPs.","title":"spomky-labs/otphp Unbounded Digits Parameter Leads to Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-06-otphp-divisionbyzero/"}],"language":"en","title":"CraftedSignal Threat Feed - Otphp \u003c 11.4.3","version":"https://jsonfeed.org/version/1.1"}