phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access
Description
phpseclib is a PHP secure communications library. From 0.1.1 until 1.0.30, 2.0.55, and 3.0.54, when an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature() reads a URL out of that certificate's Authority Information Access (AIA) extension and connects to it. Attacker who supplies certificate fully controls host, port, and path of that connection. URL fetching is enabled by default, and no destination is blocked. An unauthenticated attacker can therefore make a validating server open connections to internal hosts and ports it should never reach, for example loopback 127.0.0.1, cloud metadata address 169.254.169.254, and internal-only services. This is a server-side request forgery (SSRF) caused by an insecure default. This vulnerability is fixed in 1.0.30, 2.0.55, and 3.0.54.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing destination validation and default-enabled URL fetching in AIA extension processing allow an attacker-controlled URL to trigger outbound connections to arbitrary hosts and ports."
Attack vector
An unauthenticated attacker crafts an X.509 certificate containing a malicious AIA `caIssuers` URL pointing to an internal host (e.g., `127.0.0.1`, `169.254.169.254`) and an arbitrary port. When an application validates this certificate via `X509::validateSignature()`, phpseclib extracts the URL from the certificate and connects to it using `fsockopen()`. No authentication or user interaction is required. The attacker controls the host, port, and path of the outbound request, enabling SSRF against internal services [ref_id=1].
Affected code
The vulnerability resides in `phpseclib/File/X509.php`. The `validateSignature()` method (and its internal helper `testForIntermediate()`) reads a URL from the certificate's Authority Information Access (AIA) `caIssuers` field and passes it to `fetchURL()`, which opens an `fsockopen()` connection to the attacker-controlled host and port. The `$disable_url_fetch` flag defaults to `false`, so fetching is enabled by default with no destination validation. This affects all versions from 0.1.1 up to (but not including) 1.0.30, 2.0.55, and 3.0.54.
What the fix does
The fix changes the default of `$disable_url_fetch` from `false` to `true`, making AIA fetching opt-in rather than opt-out. Additionally, destination validation is added inside `fetchURL()` to reject loopback, link-local, private, and metadata addresses, and port restrictions are applied. These changes ensure that an integrator must explicitly enable URL fetching and that even when enabled, only safe destinations are reachable, closing the SSRF vector [ref_id=1].
Preconditions
- inputThe application must call X509::validateSignature() on an attacker-supplied certificate.
- configNo trusted CA in the store matches the certificate's issuer, causing testForIntermediate() to be invoked.
- inputThe attacker's certificate must include an AIA caIssuers extension with a URL.
Generated on Jun 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/phpseclib/phpseclib/security/advisories/GHSA-m557-wrgg-6rp4mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.