Security vulnerability caused by guzzlehttp/oauth-subscriber

[thomas-jaeger]

Describe the bug

Currently, a security issue is being reported due to the use of guzzlehttp/oauth-subscriber:

# composer audit

Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | guzzlehttp/oauth-subscriber                                                      |
| Severity          | low                                                                              |
| CVE               | CVE-2025-21617                                                                   |
| Title             | Guzzle OAuth Subscriber has insufficient nonce entropy                           |
| URL               | https://github.com/advisories/GHSA-237r-r8m4-4q88                                |
| Affected versions | <0.8.1                                                                           |
| Reported at       | 2025-01-06T19:23:26+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

Steps to reproduce

1. add verbb/formie:2.1.37 as dependency to your project
2. run composer audit

Form settings

n/a

Craft CMS version

4.13.9

Plugin version

2.1.37

Multi-site?

No

Additional context

No response

[mnlmaier]

👍🏻 +1, also opened an issue related to this, with security-advisories failing: #2215

would be great if this could be resolved :)

[engram-design]

Fixed for the next release. To get this early, run composer require verbb/formie:"dev-craft-4 as 2.1.37".