CVE-2025-21617

Name of the Vulnerable Software and Affected Versions Guzzle OAuth Subscriber versions prior to 0.8.1

Description The issue concerns the Guzzle OAuth Subscriber, which signs Guzzle requests using OAuth 1.0. Prior to version 0.8.1, the Nonce generation does not utilize sufficient entropy nor a cryptographically secure pseudorandom source. This can leave servers vulnerable to replay attacks when TLS is not used.

Recommendations For versions prior to 0.8.1, upgrade to version 0.8.1 or higher to resolve the issue. As a temporary workaround, consider using TLS to encrypt communications and minimize the risk of replay attacks. Restrict access to sensitive resources when TLS cannot be used, to reduce the potential impact of a replay attack.