{"uuid": "f74dd528-8663-4f07-a0cf-959951b4d7de", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-2jx3-65f3-xr8r", "type": "seen", "source": "https://gist.github.com/alon710/d087f67b06897a54af2f681ad9224585", "content": "# GHSA-2JX3-65F3-XR8R: GHSA-2JX3-65F3-XR8R: Dynamic Property Injection (Mass Assignment) in spomky-labs/otphp\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/GHSA-2JX3-65F3-XR8R\n\n## Summary\nA critical mass-assignment (property injection) vulnerability exists in the PHP One-Time Password (OTP) library spomky-labs/otphp within the Factory::loadFromProvisioningUri method. When an application loads an OTP provisioning URI (such as a QR code configuration link), a hostile URI can inject query parameters that dynamically overwrite internal, private, or read-only object properties of the OTP instance. This behavior leads to application state corruption, validation bypasses, or uncaught TypeErrors that crash the executing application process.\n\n## TL;DR\nUnauthenticated remote attackers can deliver crafted OTP provisioning URIs to overwrite internal properties of the `otphp` library, causing denial of service, validation bypasses, or immediate application crashes.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-915\n- **Attack Vector**: Network\n- **CVSS v4 Score**: 5.3 (Medium)\n- **Exploit Status**: Proof of Concept\n- **Affected Component**: Factory::loadFromProvisioningUri\n- **Vulnerability Class**: Improperly Controlled Modification of Dynamically-Determined Object Attributes\n\n## Affected Systems\n\n- Web applications incorporating PHP MFA / TOTP / HOTP functionality based on the spomky-labs/otphp library prior to v11.4.3\n- **spomky-labs/otphp**: < 11.4.3 (Fixed in: `11.4.3`)\n\n## Mitigation\n\n- Upgrade spomky-labs/otphp package to version 11.4.3 or later\n- Implement client-side or gateway-level query parameter sanitization before parsing\n- Enforce global exception catching for all Throwable types on OTP factory loaders\n\n**Remediation Steps:**\n1. Run 'composer update spomky-labs/otphp' to pull the patched version (11.4.3)\n2. Audit application logic to verify that all Factory::loadFromProvisioningUri calls are wrapped in robust try-catch blocks\n3. Verify system tests discard URIs containing disallowed nested parameters such as parameters[...] or clock[...]\n\n## References\n\n- [GitHub Security Advisory GHSA-2jx3-65f3-xr8r](https://github.com/Spomky-Labs/otphp/security/advisories/GHSA-2jx3-65f3-xr8r)\n- [FriendsOfPHP Security Advisory for GHSA-2jx3-65f3-xr8r](https://github.com/FriendsOfPHP/security-advisories/blob/master/spomky-labs/otphp/GHSA-2jx3-65f3-xr8r.yaml)\n- [Official Spomky-Labs otphp Repository](https://github.com/Spomky-Labs/otphp)\n- [Vulnerability Fix Diff / Patch Compare View](https://github.com/Spomky-Labs/otphp/compare/11.4.2...11.4.3.diff)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-2JX3-65F3-XR8R) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-19T02:11:47.000000Z"}