SecureProps is a PHP library designed to simplify the encryption and decryption of property data in objects. A vulnerability in SecureProps version 1.2.0 and 1.2.1 involves a regex failing to detect tags during decryption of encrypted data. This occurs when the encrypted data has been encoded with NullEncoder
and passed to TagAwareCipher
, and contains special characters such as n
. As a result, the decryption process is skipped since the tags are not detected. This causes the encrypted data to be returned in plain format. The vulnerability affects users who implement TagAwareCipher
with any base cipher that has NullEncoder
(not default). The patch for the issue has been released. Users are advised to update to version 1.2.2. As a workaround, one may use the default Base64Encoder
with the base cipher decorated with TagAwareCipher
to prevent special characters in the encrypted string from interfering with regex tag detection logic. This workaround is safe but may involve double encoding since TagAwareCipher
uses NullEncoder
by default.
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.