Technologyglobal✓ verified · 90%

spomky-labs/otphp: Unbounded digits parameter in a provisioning URI triggers an uncaught DivisionByZeroError in OTP generation

Name: spomky-labs/otphp: Unbounded digits parameter in a provisioning URI triggers an uncaught DivisionByZeroError in OTP generation
Start: 2026-06-18T20:45:47Z
Location: Global (internet)

When: 2026-06-18 20:45 UTC
Where: Global (internet)
Category: cyber_advisory · composer

## Summary The `digits` parameter parsed from a provisioning URI is validated only with a lower bound (`$value > 0`) and has no upper bound (`src/OTP.php:353-357`). OTP generation computes `$code % (10 ** $this->getDigits())` (`src/OTP.php:283`). When `digits` is large enough that `10 ** digits` overflows PHP's integer range and the `(int)` cast yields `0` (around `digits >= 40` on 64-bit PHP 8.x), the modulo operand becomes `0` and PHP raises a `DivisionByZeroError`. ## Impact `OTPHP\Factory::loadFromProvisioningUri()` forwards the attacker-controlled `digits` query value to `setParameter('digits', $value)`, so a hostile URI such as `otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&digits=50` produces an OTP object whose `at()`, `now()`, and `verify()` all throw `DivisionByZeroError`. Because `DivisionByZeroError` extends `Error` (not `Exception`), callers that guard OTP generation with a `catch (\Exception)` do not catch it, turning a malformed URI into an unhandled fatal error (denial of service of the verification path). Measured threshold on PHP 8.3: `digits = 30` works, `digits >= 40` throws `DivisionByZeroError: Modulo by zero`. ## Affected component - `src/OTP.php:353-357` — `digits` parameter callback (no upper bound) - `src/OTP.php:283` — `$code % (10 ** $this->getDigits())` ## Proof of concept ```php use OTPHP\Factory; use OTPHP\InternalClock; $otp = Factory::loadFromProvisioningUri( 'otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&digits=50', new InternalClock() ); $otp->at(0); // DivisionByZeroError: Modulo by zero (escapes catch (\Exception)) ``` ## Remediation Enforce a sane upper bound on `digits` in the parameter validation callback (e.g. reject values above 8–10, the practical range for OTPs) so that an out-of-range value is rejected with a documented exception instead of producing an object that fails later with an uncatchable `Error`.

Sources

GitHub Advisory Database ↗ · first seen 2026-06-18 20:45 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

← Back to the live map