gregwar/captcha is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
54
Medium Risk
The PhraseBuilder component generates CAPTCHA phrases by picking characters from the configured charset. Character selection uses array_rand, which relies on PHP's non-cryptographic Mersenne Twister generator. Because that generator is not cryptographically secure, the generated CAPTCHA phrases are more predictable, weakening the anti-automation protection and making CAPTCHA bypass easier. The fix selects characters with random_int and adds charset validation, falling back to the old behavior only when secure randomness is unavailable.
You are affected if you are using a version that falls within the vulnerable range.
gregwar/captcha is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in versions 1.0.0 - 2.0.0.
Upgrade the gregwar/captcha library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant