Intel

AIKIDO-2026-565301

gregwar/captcha is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

54

Medium Risk

This Affects:

PHPgregwar/captcha
1.0.0 - 2.0.0
Fixed in 2.1.0
Are you affected? Scan for Free

TL;DR

The PhraseBuilder component generates CAPTCHA phrases by picking characters from the configured charset. Character selection uses array_rand, which relies on PHP's non-cryptographic Mersenne Twister generator. Because that generator is not cryptographically secure, the generated CAPTCHA phrases are more predictable, weakening the anti-automation protection and making CAPTCHA bypass easier. The fix selects characters with random_int and adds charset validation, falling back to the old behavior only when secure randomness is unavailable.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

gregwar/captcha is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in versions 1.0.0 - 2.0.0.

How to fix this

Upgrade the gregwar/captcha library to the patch version.