php · phpseclib/phpseclibHeads-up
phpseclib X509 certificate validation SSRF vulnerability
The validateSignature() method in X509 fetches URLs from the AIA extension without restrictions, enabling SSRF when validating untrusted certificates.
What changed
The validateSignature() method in X509 fetches URLs from the AIA extension without restrictions, enabling SSRF when validating untrusted certificates. URL fetching is enabled by default.
Who it affects
Applications using phpseclib to validate X.509 certificates from untrusted sources, including client-certificate checks, S/MIME verification, CMS signer verification, and document/code-signing validation.
What to do today
Disable URL fetching by calling X509::disableURLFetch() before certificate validation, or update to a patched version when available.
The trail
Collected→
Audited→
Written→
Published