Security Advisory
Jul. 2026: PHP lib - verifySolution bypasses HMAC signature check when challenge signature is absent
Vulnerability Summary
In the PHP library v2, the verifySolution method skips HMAC signature verification when the signature field is absent from the challenge payload, even when hmacSignatureSecret is configured.
An attacker who strips the signature key from the challenge JSON passes the condition as false, bypassing tamper-detection entirely. The PoW solution check then runs against unverified parameters — allowing an attacker to self-issue a low-difficulty challenge, solve it trivially, and submit a payload that verifies as true.
Impact
Complete CAPTCHA bypass on any deployment that sets hmacSignatureSecret (the recommended production configuration).
Fix
The check was split so that a missing signature is explicitly rejected when a secret is configured.
Status
PATCHED
GitHub Adivisory: https://github.com/altcha-org/altcha-lib-php/security/advisories/GHSA-82w8-65qw-gch6
Timeline
- Jul. 2, 2026: Reported by Markus Fasselt (https://fasselt.it)
- Jul. 2, 2026: Confirmed and patched by ALTCHA, patch published as v2.0.3
- Jul. 7, 2026: This adivisory published
Dec. 2025: Proof-of-Work Vulnerable to Challenge Splicing and Replay
Vulnerability Summary
ALTCHA libraries are affected by a cryptographic semantic binding flaw that enables challenge payload splicing, which can lead to replay attacks (CWE-115, CWE-347). The HMAC signature only binds to the concatenation of the salt string and the nonce, without clearly delimiting where challenge parameters end and the nonce begins. As a result, an attacker can reinterpret a previously valid payload by shifting digits between the expiration parameter and the nonce. For example, treating salt?expire=100987 as salt?expire=1009 with nonce 87.
This vulnerability can make a challenge appear valid for an arbitrarily long time, allowing it to be reused beyond its intended lifetime. In common server implementations that track used nonces only for a limited period and validate expiration using a simple expires > now check, this flaw enables repeated replay of previously solved challenges. An attacker can therefore amortize proof-of-work computation over time, progressively increasing effective throughput without performing additional work.
Impact
Medium. The effective impact depends on server-side replay handling and deployment assumptions. ALTCHA Sentinel versions prior to v1.16.0 are vulnerable.
Recommended Patch
Ensure explicit semantic separation between challenge parameters and the nonce by appending a delimiter to the end of the salt before HMAC computation. Specifically:
- Before:
<salt>?expires=<time> - After:
<salt>?expires=<time>&
Adding the & delimiter prevents parameter–nonce splicing by clearly terminating the parameter list. This change is backward-compatible with existing implementations, as & is treated as a standard URL parameter separator and does not alter the meaning of previously defined parameters.
Status
PATCHED
GitHub Adivisory: https://github.com/altcha-org/altcha-lib/security/advisories/GHSA-6gvq-jcmp-8959
Timeline
-
Dec. 10, 2025: Reported by Yumechi
-
Dec. 11, 2025: Investigated by ALTCHA and vulnerability confirmed
-
Dec. 14, 2025: This adivisory published
ALTCHA Sentinel patched in version
v1.16.0Integration libraries patched in the following versions:
- JS
https://github.com/altcha-org/altcha-lib:v1.4.1 - PHP
https://github.com/altcha-org/altcha-lib-php:v1.3.1 - Python
https://github.com/altcha-org/altcha-lib-py:v1.0.0 - Go
https://github.com/altcha-org/altcha-lib-go:v1.0.0 - Java
https://github.com/altcha-org/altcha-lib-java:v1.3.0 - Elixir
https://github.com/altcha-org/altcha-lib-ex:v1.0.0 - Ruby
https://github.com/altcha-org/altcha-lib-ex:v1.0.0 - Wordpress Plugin v2
https://github.com/altcha-org/altcha-wordpress-next:v2.3.1 - Wordpress Plugin v1
https://github.com/altcha-org/wordpress-plugin:v1.26.3
- JS
-
Dec. 14, 2025: GitHub Adivisory published, CVE requested
-
Dec. 15, 2025: Customers and 3rd-party integrators notified
-
Dec. 16, 2025: Assigned CVE-2025-68113
Copyright © 2024 Altcha.org - Dedicated to Privacy.
ALTCHA ® is a trademark registered in EU.
Do you like ALTCHA?
Support us by giving us a star on GitHub!
OSS hosted on GitHub • Website made with Astro Starlight.