Skip to content

[GHSA-g8pg-33v4-9r96] Thelia authentication bypass vulnerability#8012

Merged
advisory-database[bot] merged 1 commit into
RainSignal/advisory-improvement-8012from
RainSignal-GHSA-g8pg-33v4-9r96
Jul 17, 2026
Merged

[GHSA-g8pg-33v4-9r96] Thelia authentication bypass vulnerability#8012
advisory-database[bot] merged 1 commit into
RainSignal/advisory-improvement-8012from
RainSignal-GHSA-g8pg-33v4-9r96

Conversation

@RainSignal

Copy link
Copy Markdown

Updates

  • Affected products
  • Description

Comments
The advisory states the vulnerability is present from 2.1.0-beta1,
but code review shows this is incorrect. We examined the file
TokenProvider.php across multiple versions and confirmed the
vulnerable unserialize() code exists in all of them:

Since 2.0.0-RC1 is the earliest version we checked and already
contains the vulnerable code, the affected version range should
be updated to >= 2.0.0-RC1. The true introduction point may be
even earlier, but we could not confirm versions prior to 2.0.0-RC1.

Therefore, the affected versions should be changed from
">= 2.1.0-beta1, < 2.1.3" to "< 2.1.3".

Copilot stopped work on behalf of RainSignal due to an error June 11, 2026 15:50
@github-actions
github-actions Bot changed the base branch from main to RainSignal/advisory-improvement-8012 June 11, 2026 15:52
@github-actions

Copy link
Copy Markdown

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@github-actions github-actions Bot added the Stale label Jul 16, 2026
@shelbyc

shelbyc commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Hi @RainSignal, this PR is being merged agree with the decision to change the lower bound. I think it's possible that 2.1.0-beta1 was a typo.

Two lines of code from the fix commit thelia/thelia@028cfcf were introduced in two different commits.

As you pointed out, thelia/thelia@71c1cee introduced $data = unserialize(base64_decode($key)); in a commit tagged with 2.0.0-RC1 on GitHub. However, thelia/thelia@71c1cee was committed on 13 September 2013, and https://packagist.org/packages/thelia/thelia#2.0.0-beta1 shows that 2.0.0-beta1 was released on 25 October 2013. https://packagist.org/packages/thelia/thelia#2.0.0-RC1 shows that 2.0.0-RC1 was released on 03 March 2014.

thelia/thelia@a4ad03c introduced return base64_encode(serialize(array($user->getUsername(), $user->getToken(), $user->getSerial()))); in version 2.1.0-alpha1.

My hypothesis is that the author https://web.archive.org/web/20160502224630/http://thelia.net/version-2-1-3-with-security-fix intended to type 2.0.0-beta1 but confused 2.0.0-beta1 and 2.1.0-alpha1 and their fingers produced 2.1.0-beta1 as a mistake.

Thanks for the PR and gave a good weekend!

@advisory-database
advisory-database Bot merged commit edbe3c1 into RainSignal/advisory-improvement-8012 Jul 17, 2026
4 checks passed
@advisory-database

Copy link
Copy Markdown
Contributor

Hi @RainSignal! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database
advisory-database Bot deleted the RainSignal-GHSA-g8pg-33v4-9r96 branch July 17, 2026 18:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants