CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-m557-wrgg-6rp4: phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access

mediumCVSS 5.8CVE-2026-55599
Summary When an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature() reads a URL out of that certificate's Authority Information Access (AIA) extension and connects to it. Attacker who supplies certificate fully controls host, port, and path of that connection. URL fetching is enabled by default, and no destination is blocked. An unauthenticated attacker can therefore make a validating server open connections to internal hosts and ports it should never reach, for example loopback 127.0.0.1, cloud metadata address 169.254.169.254, and internal-only services. This is a server-side request forgery (SSRF) caused by an insecure default. It is reproducible on current released LTS 3.0.53 and on 4.0 development line. Details When no already-trusted certificate authority is the issuer of certificate under validation, validateSignatureCountable() continues to AIA fetching. Default for validateSignature() is caonly = true: // phpseclib/File/X509.php:1316-1327 (4.0 development line, commit 74ada1a6) if (!isset($signingCert)) { if ($caonly) { return $this->testForIntermediate(true, $count) && $this->validateSignature(true); } else { try { $this->testForSelfSigned(); $signingCert = $this; } catch (BadMethodCallException) { return $this->testForIntermediate(true, $count) && $this->validateSignature(true); } } } testForIntermediate() takes URL straight out of certificate's AIA caIssuers field and fetches it. Value comes directly from certificate content and is never restricted: // phpseclib/File/X509.php:1357-1391 (4.0 development line) $opts = $this->getExtension('id-pe-authorityInfoAccess'); ... foreach ($opts['extnValue'] as $opt) { if ($opt['accessMethod'] == 'id-ad-caIssuers') { if (isset($opt['accessLocation']['uniformResourceIdentifier'])) { $url = (string) $opt['accessLocation']['uniformResourceIdentifier']; // attacker controlled break; } } } ... $cert = static::fetchURL($url); // server-side request forgery fetchURL() conne

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 5.8
Published
2026-06-16
Last updated
2026-07-08
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-m557-wrgg-6rp4

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-55599coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories