PHP
CVE-2026-33661
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The verify_wechat_sign() function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a Host: localhost header, bypassing the RSA signature check entirely.
This allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment.
Vulnerable Code
src/Functions.php lines 243-246:
function verify_wechat_sign(ResponseInterface|ServerRequestInterface $message, array $params): void
{
// BYPASS: Returns without any signature check if Host header is localhost
if ($message instanceof ServerRequestInterface && 'localhost' === $message->getUri()->getHost()) {
return; // No signature verified!
}
// ... openssl_verify() only reached when Host != localhost
$wechatSerial = $message->getHeaderLine('Wechatpay-Serial');
$sign = $message->getHeaderLine('Wechatpay-Signature');
$result = 1 === openssl_verify($content, base64_decode($sign), $public, 'sha256WithRSAEncryption');
}In PSR-7 implementations (Nyholm, Guzzle PSR-7, etc.), $request->getUri()->getHost() reads the Host HTTP header, which is fully attacker-controlled.
Proof of Concept
curl -X POST https://merchant.example.com/payment/wechat/callback \
-H "Host: localhost" \
-H "Content-Type: application/json" \
-H "Wechatpay-Serial: any" \
-H "Wechatpay-Timestamp: 1234567890" \
-H "Wechatpay-Nonce: abc" \
-H "Wechatpay-Signature: AAAA" \
-d '{"id":"fake-order","event_type":"TRANSACTION.SUCCESS"}'verify_wechat_sign() returns immediately without verifying the signature. The application marks the order as paid.
Impact
- Payment fraud: Attacker receives goods/services without actual payment by forging WeChat Pay callbacks
- No authentication required: Pure network attack, zero privileges needed
- Wide reach: Affects any application using
yansongda/payfor WeChat Pay callback validation. However, in most environments, Nginx/Ingress/Cloudflare/WAF will directly reject the forgery of this request header, so there is no need to worry too much.
AnalysisAI
The yansongda/pay PHP library contains an authentication bypass vulnerability that allows attackers to forge WeChat Pay payment notifications by including a 'Host: localhost' header in HTTP requests. The verify_wechat_sign() function unconditionally skips RSA signature verification when it detects localhost as the hostname, enabling attackers to send fake payment success callbacks that applications may process as legitimate transactions. A proof-of-concept exploit exists demonstrating the attack, though the vendor notes most production environments with properly configured reverse proxies, WAFs, or CDNs will reject forged Host headers, significantly reducing real-world exploitability.
Technical ContextAI
This vulnerability affects the yansongda/pay Composer package (pkg:composer/yansongda_pay), a PHP library providing integration with WeChat Pay payment services. The flaw is rooted in CWE-290 (Authentication Bypass by Spoofing), where the verification logic in src/Functions.php trusts the attacker-controlled Host header from PSR-7 HTTP request objects. PSR-7 is a PHP standard for HTTP message interfaces, implemented by libraries like Nyholm and Guzzle, where the getUri()->getHost() method directly reads the Host header without validation. The vulnerable code path intended to skip verification during local development but failed to account for header spoofing in production environments, creating a logic flaw that completely bypasses the openssl_verify() RSA signature check that normally validates WeChat Pay's cryptographic signatures.
RemediationAI
Upgrade yansongda/pay to version 3.7.20 or later, which addresses the authentication bypass as documented in the release notes at https://github.com/yansongda/pay/releases/tag/v3.7.20. The fix commit is available at https://github.com/yansongda/pay/commit/26987ebf789f1e7f0a85febb640986ab4289fd7f for review. Until patching is possible, implement strict Host header validation at the reverse proxy or application layer to ensure the Host header matches expected domain names and reject requests with localhost or unexpected values. Configure Nginx, Apache, or other reverse proxies to normalize Host headers and drop requests with spoofed values. As an additional defense-in-depth measure, implement IP allowlisting for WeChat Pay callback endpoints to accept notifications only from documented WeChat Pay server IP ranges, and consider implementing additional webhook authentication mechanisms such as shared secrets or request signing at the application layer.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today