phpseclib has released versions 3.0.36, 2.0.47, and 1.0.23 to address problems related to maliciously formed certificates that could lead to a denial of service attack.
The first issue, CVE-2024-27354, can be triggered by a malformed certificate with an extremely large prime that is attempted to be read by phpseclib.
The second issue, CVE-2024-27355, can be triggered by a certificate with a very large ASN.1 sub-identifier.
Both affect versions >= 1.0.0 and <= 1.0.22 for the 1.x branch, >= 2.0.0 and <= 2.0.46 for the 2.x branch, and >= 3.0.0 and <= 3.0.35 for the 3.x branch
Both are resolved in the new releases at https://github.com/phpseclib/phpseclib/releases