Skip to main content

PHP CVE-2026-33661

HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-03-25 https://github.com/yansongda/pay
8.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 19:32 vuln.today
Patch released
Mar 25, 2026 - 19:32 nvd
Patch available
CVE Published
Mar 25, 2026 - 19:30 nvd
HIGH 8.6

DescriptionGitHub Advisory

Summary

The verify_wechat_sign() function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a Host: localhost header, bypassing the RSA signature check entirely.

This allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment.

Vulnerable Code

src/Functions.php lines 243-246:

php
function verify_wechat_sign(ResponseInterface|ServerRequestInterface $message, array $params): void
{
    // BYPASS: Returns without any signature check if Host header is localhost
    if ($message instanceof ServerRequestInterface && 'localhost' === $message->getUri()->getHost()) {
        return;  // No signature verified!
    }

    // ... openssl_verify() only reached when Host != localhost
    $wechatSerial = $message->getHeaderLine('Wechatpay-Serial');
    $sign = $message->getHeaderLine('Wechatpay-Signature');
    $result = 1 === openssl_verify($content, base64_decode($sign), $public, 'sha256WithRSAEncryption');
}

In PSR-7 implementations (Nyholm, Guzzle PSR-7, etc.), $request->getUri()->getHost() reads the Host HTTP header, which is fully attacker-controlled.

Proof of Concept

bash
curl -X POST https://merchant.example.com/payment/wechat/callback \
  -H "Host: localhost" \
  -H "Content-Type: application/json" \
  -H "Wechatpay-Serial: any" \
  -H "Wechatpay-Timestamp: 1234567890" \
  -H "Wechatpay-Nonce: abc" \
  -H "Wechatpay-Signature: AAAA" \
  -d '{"id":"fake-order","event_type":"TRANSACTION.SUCCESS"}'

verify_wechat_sign() returns immediately without verifying the signature. The application marks the order as paid.

Impact

  • Payment fraud: Attacker receives goods/services without actual payment by forging WeChat Pay callbacks
  • No authentication required: Pure network attack, zero privileges needed
  • Wide reach: Affects any application using yansongda/pay for WeChat Pay callback validation. However, in most environments, Nginx/Ingress/Cloudflare/WAF will directly reject the forgery of this request header, so there is no need to worry too much.

AnalysisAI

The yansongda/pay PHP library contains an authentication bypass vulnerability that allows attackers to forge WeChat Pay payment notifications by including a 'Host: localhost' header in HTTP requests. The verify_wechat_sign() function unconditionally skips RSA signature verification when it detects localhost as the hostname, enabling attackers to send fake payment success callbacks that applications may process as legitimate transactions. A proof-of-concept exploit exists demonstrating the attack, though the vendor notes most production environments with properly configured reverse proxies, WAFs, or CDNs will reject forged Host headers, significantly reducing real-world exploitability.

Technical ContextAI

This vulnerability affects the yansongda/pay Composer package (pkg:composer/yansongda_pay), a PHP library providing integration with WeChat Pay payment services. The flaw is rooted in CWE-290 (Authentication Bypass by Spoofing), where the verification logic in src/Functions.php trusts the attacker-controlled Host header from PSR-7 HTTP request objects. PSR-7 is a PHP standard for HTTP message interfaces, implemented by libraries like Nyholm and Guzzle, where the getUri()->getHost() method directly reads the Host header without validation. The vulnerable code path intended to skip verification during local development but failed to account for header spoofing in production environments, creating a logic flaw that completely bypasses the openssl_verify() RSA signature check that normally validates WeChat Pay's cryptographic signatures.

RemediationAI

Upgrade yansongda/pay to version 3.7.20 or later, which addresses the authentication bypass as documented in the release notes at https://github.com/yansongda/pay/releases/tag/v3.7.20. The fix commit is available at https://github.com/yansongda/pay/commit/26987ebf789f1e7f0a85febb640986ab4289fd7f for review. Until patching is possible, implement strict Host header validation at the reverse proxy or application layer to ensure the Host header matches expected domain names and reject requests with localhost or unexpected values. Configure Nginx, Apache, or other reverse proxies to normalize Host headers and drop requests with spoofed values. As an additional defense-in-depth measure, implement IP allowlisting for WeChat Pay callback endpoints to accept notifications only from documented WeChat Pay server IP ranges, and consider implementing additional webhook authentication mechanisms such as shared secrets or request signing at the application layer.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-33661 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy