CVE-2024-28864
CVE-2024-28864 is a low-severity vulnerability in Ilicmiljan Secureprops with a CVSS 3.x base score of 2.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1333.
Key facts
- Severity: Low (CVSS 3.x base score 2.6)
- EPSS exploit prediction: 0% (25th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-1003
- Weakness: CWE-1333
- Affected product: Ilicmiljan Secureprops
- Published:
- Last modified:
Description
SecureProps is a PHP library designed to simplify the encryption and decryption of property data in objects. A vulnerability in SecureProps version 1.2.0 and 1.2.1 involves a regex failing to detect tags during decryption of encrypted data. This occurs when the encrypted data has been encoded with `NullEncoder` and passed to `TagAwareCipher`, and contains special characters such as `\n`. As a result, the decryption process is skipped since the tags are not detected. This causes the encrypted data to be returned in plain format. The vulnerability affects users who implement `TagAwareCipher` with any base cipher that has `NullEncoder` (not default). The patch for the issue has been released. Users are advised to update to version 1.2.2. As a workaround, one may use the default `Base64Encoder` with the base cipher decorated with `TagAwareCipher` to prevent special characters in the encrypted string from interfering with regex tag detection logic. This workaround is safe but may involve double encoding since `TagAwareCipher` uses `NullEncoder` by default.
Frequently asked questions
- What is CVE-2024-28864?
- SecureProps is a PHP library designed to simplify the encryption and decryption of property data in objects. A vulnerability in SecureProps version 1.2.0 and 1.2.1 involves a regex failing to detect tags during decryption of encrypted data. This occurs when the encrypted data has been encoded with `NullEncoder` and passed to `TagAwareCipher`, and contains special characters such as `\n`. As a result, the decryption process is skipped since the tags are not detected. This causes the encrypted data to be returned in plain format. The vulnerability affects users who implement `TagAwareCipher` with any base cipher that has `NullEncoder` (not default). The patch for the issue has been released. Users are advised to update to version 1.2.2. As a workaround, one may use the default `Base64Encoder` with the base cipher decorated with `TagAwareCipher` to prevent special characters in the encrypted string from interfering with regex tag detection logic. This workaround is safe but may involve double encoding since `TagAwareCipher` uses `NullEncoder` by default.
- How severe is CVE-2024-28864?
- CVE-2024-28864 has a CVSS 3.x base score of 2.6, rated low severity. It is exploitable over network with high attack complexity, requires low privileges and user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2024-28864 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (25th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-28864?
- CVE-2024-28864 primarily affects Ilicmiljan Secureprops. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-28864?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2024-28864 have an EU (EUVD) identifier?
- Yes. CVE-2024-28864 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-1003.
- When was CVE-2024-28864 published?
- CVE-2024-28864 was published on 2024-03-18 and last updated on 2026-06-17.
References
- https://github.com/IlicMiljan/Secure-Props/commit/ab7b561040cd37fda3dbf9a6cab01fefcaa16627
- https://github.com/IlicMiljan/Secure-Props/issues/20
- https://github.com/IlicMiljan/Secure-Props/pull/21
- https://github.com/IlicMiljan/Secure-Props/security/advisories/GHSA-rj29-j2g4-77q8
Affected products (2)
- cpe:2.3:a:ilicmiljan:secureprops:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ilicmiljan:secureprops:1.2.1:*:*:*:*:*:*:*
Other CWE-1333 vulnerabilities
- CVE-2026-35458 — Critical (CVSS 9.8): Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile…
- CVE-2023-29486 — Critical (CVSS 9.8): An issue was discovered in Heimdal Thor agent versions 3.4.2 and before 3.7.0 on Windows, allows attackers to bypass…
- CVE-2026-25547 — Critical (CVSS 9.2): @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1,…
- CVE-2023-29487 — Critical (CVSS 9.1): An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS,…
- CVE-2026-47138 — High (CVSS 8.7): Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to…
- CVE-2025-6998 — High (CVSS 8.7): ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated…