VYPR
Get started
← All advisories
Critical severityNVD Advisory· Published Apr 29, 2021· Updated Apr 28, 2021

Lack of Input Validation in zendesk_api_client_php for Zendesk Subdomain

CVE-2021-30492

Description

Impact

Lack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery (SSRF).

Resolution

Validate the provided Zendesk subdomain to be a valid subdomain in: * getAuthUrl * getAccessToken

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
zendesk/zendesk_api_client_phpPackagist
< 2.2.112.2.11

Patches

1
b451b743d9d6

Merge pull request #466 from zendesk/validate-zendesk-subdomain

https://github.com/zendesk/zendesk_api_client_phpYasith FernandoApr 28, 2021via ghsa
commit
1 file changed · +16 0
  • src/Zendesk/API/Utilities/OAuth.php+16 0 modified
    @@ -2,6 +2,7 @@
 
 namespace Zendesk\API\Utilities;
 
+use InvalidArgumentException;
 use GuzzleHttp\Client;
 use GuzzleHttp\Exception\RequestException;
 use GuzzleHttp\Psr7\Request;
@@ -22,6 +23,7 @@ class OAuth
      */
     public static function getAccessToken(Client $client, $subdomain, array $params, $domain = 'zendesk.com')
     {
+        static::validateSubdomain($subdomain);
         $authUrl  = "https://$subdomain.$domain/oauth/tokens";
 
         // Fetch access_token
@@ -55,6 +57,7 @@ public static function getAccessToken(Client $client, $subdomain, array $params,
      */
     public static function getAuthUrl($subdomain, array $options, $domain = 'zendesk.com')
     {
+        static::validateSubdomain($subdomain);
         $queryParams = [
             'response_type' => 'code',
             'client_id'    => null,
@@ -71,4 +74,17 @@ public static function getAuthUrl($subdomain, array $options, $domain = 'zendesk
 
         return $oAuthUrl;
     }
+
+    /**
+     * Validate subdomain
+     *
+     * @param string $subdomain
+     * @throws InvalidArgumentException
+     */
+    private static function validateSubdomain($subdomain)
+    {
+        if (! preg_match('/^[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?$/', $subdomain)) {
+            throw new InvalidArgumentException('Invalid Zendesk subdomain.');
+        }
+    }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.