Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-33661

WeChat Pay callback signature verification bypassed when Host header is localhost
Back to all
CVE

CVE-2026-33661

WeChat Pay callback signature verification bypassed when Host header is localhost

Summary

The verifywechatsign() function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a Host: localhost header, bypassing the RSA signature check entirely.

This allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment.

Vulnerable Code

src/Functions.php lines 243-246:

function verify_wechat_sign(ResponseInterface|ServerRequestInterface $message, array $params): void
{
    // BYPASS: Returns without any signature check if Host header is localhost
    if ($message instanceof ServerRequestInterface && 'localhost' === $message->getUri()->getHost()) {
        return;  // No signature verified!
    }
    // ... openssl_verify() only reached when Host != localhost
    $wechatSerial = $message->getHeaderLine('Wechatpay-Serial');
    $sign = $message->getHeaderLine('Wechatpay-Signature');
    $result = 1 === openssl_verify($content, base64_decode($sign), $public, 'sha256WithRSAEncryption');
}

In PSR-7 implementations (Nyholm, Guzzle PSR-7, etc.), $request->getUri()->getHost() reads the Host HTTP header, which is fully attacker-controlled.

Proof of Concept

curl -X POST https://merchant.example.com/payment/wechat/callback \
  -H "Host: localhost" \
  -H "Content-Type: application/json" \
  -H "Wechatpay-Serial: any" \
  -H "Wechatpay-Timestamp: 1234567890" \
  -H "Wechatpay-Nonce: abc" \
  -H "Wechatpay-Signature: AAAA" \
  -d '{"id":"fake-order","event_type":"TRANSACTION.SUCCESS"}'

verifywechatsign() returns immediately without verifying the signature. The application marks the order as paid.

Impact

  • Payment fraud: Attacker receives goods/services without actual payment by forging WeChat Pay callbacks
  • No authentication required: Pure network attack, zero privileges needed
  • Wide reach: Affects any application using yansongda/pay for WeChat Pay callback validation. However, in most environments, Nginx/Ingress/Cloudflare/WAF will directly reject the forgery of this request header, so there is no need to worry too much.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.6
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
C
H
U
-

Related Resources

No items found.

References

https://github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc, https://nvd.nist.gov/vuln/detail/CVE-2026-33661, https://github.com/yansongda/pay/commit/26987ebf789f1e7f0a85febb640986ab4289fd7f, https://github.com/yansongda/pay, https://github.com/yansongda/pay/releases/tag/v3.7.20

Severity

8.6

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
8.6
EPSS Probability
0.00016%
EPSS Percentile
0.03705%
Introduced Version
0
Fix Available
3.7.20

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading