GHSA-G7M4-839X-CH6V
Vulnerability from github – Published: 2026-06-18 20:45 – Updated: 2026-06-18 20:45Summary
The digits parameter parsed from a provisioning URI is validated only with a lower bound ($value > 0) and has no upper bound (src/OTP.php:353-357). OTP generation computes $code % (10 ** $this->getDigits()) (src/OTP.php:283). When digits is large enough that 10 ** digits overflows PHP's integer range and the (int) cast yields 0 (around digits >= 40 on 64-bit PHP 8.x), the modulo operand becomes 0 and PHP raises a DivisionByZeroError.
Impact
OTPHP\Factory::loadFromProvisioningUri() forwards the attacker-controlled digits query value to setParameter('digits', $value), so a hostile URI such as otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&digits=50 produces an OTP object whose at(), now(), and verify() all throw DivisionByZeroError. Because DivisionByZeroError extends Error (not Exception), callers that guard OTP generation with a catch (\Exception) do not catch it, turning a malformed URI into an unhandled fatal error (denial of service of the verification path).
Measured threshold on PHP 8.3: digits = 30 works, digits >= 40 throws DivisionByZeroError: Modulo by zero.
Affected component
src/OTP.php:353-357—digitsparameter callback (no upper bound)src/OTP.php:283—$code % (10 ** $this->getDigits())
Proof of concept
use OTPHP\Factory;
use OTPHP\InternalClock;
$otp = Factory::loadFromProvisioningUri(
'otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&digits=50',
new InternalClock()
);
$otp->at(0); // DivisionByZeroError: Modulo by zero (escapes catch (\Exception))
Remediation
Enforce a sane upper bound on digits in the parameter validation callback (e.g. reject values above 8–10, the practical range for OTPs) so that an out-of-range value is rejected with a documented exception instead of producing an object that fails later with an uncatchable Error.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "spomky-labs/otphp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-369"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T20:45:47Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nThe `digits` parameter parsed from a provisioning URI is validated only with a lower bound (`$value \u003e 0`) and has no upper bound (`src/OTP.php:353-357`). OTP generation computes `$code % (10 ** $this-\u003egetDigits())` (`src/OTP.php:283`). When `digits` is large enough that `10 ** digits` overflows PHP\u0027s integer range and the `(int)` cast yields `0` (around `digits \u003e= 40` on 64-bit PHP 8.x), the modulo operand becomes `0` and PHP raises a `DivisionByZeroError`.\n\n## Impact\n\n`OTPHP\\Factory::loadFromProvisioningUri()` forwards the attacker-controlled `digits` query value to `setParameter(\u0027digits\u0027, $value)`, so a hostile URI such as `otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP\u0026digits=50` produces an OTP object whose `at()`, `now()`, and `verify()` all throw `DivisionByZeroError`. Because `DivisionByZeroError` extends `Error` (not `Exception`), callers that guard OTP generation with a `catch (\\Exception)` do not catch it, turning a malformed URI into an unhandled fatal error (denial of service of the verification path).\n\nMeasured threshold on PHP 8.3: `digits = 30` works, `digits \u003e= 40` throws `DivisionByZeroError: Modulo by zero`.\n\n## Affected component\n\n- `src/OTP.php:353-357` \u2014 `digits` parameter callback (no upper bound)\n- `src/OTP.php:283` \u2014 `$code % (10 ** $this-\u003egetDigits())`\n\n## Proof of concept\n\n```php\nuse OTPHP\\Factory;\nuse OTPHP\\InternalClock;\n\n$otp = Factory::loadFromProvisioningUri(\n \u0027otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP\u0026digits=50\u0027,\n new InternalClock()\n);\n$otp-\u003eat(0); // DivisionByZeroError: Modulo by zero (escapes catch (\\Exception))\n```\n\n## Remediation\n\nEnforce a sane upper bound on `digits` in the parameter validation callback (e.g. reject values above 8\u201310, the practical range for OTPs) so that an out-of-range value is rejected with a documented exception instead of producing an object that fails later with an uncatchable `Error`.",
"id": "GHSA-g7m4-839x-ch6v",
"modified": "2026-06-18T20:45:48Z",
"published": "2026-06-18T20:45:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Spomky-Labs/otphp/security/advisories/GHSA-g7m4-839x-ch6v"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/spomky-labs/otphp/GHSA-g7m4-839x-ch6v.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/Spomky-Labs/otphp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "spomky-labs/otphp: Unbounded digits parameter in a provisioning URI triggers an uncaught DivisionByZeroError in OTP generation"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.