Platform
php
Component
yansongda/pay
Fixed in
3.7.21
3.7.20
CVE-2026-33661 describes a signature bypass vulnerability within the yansongda/pay PHP library, specifically impacting versions up to 3.7.9. This flaw allows attackers to forge WeChat Pay payment success notifications, potentially leading to unauthorized order marking as paid. The vulnerability stems from an unconditional bypass of signature verification when the HTTP request's Host header is set to localhost. A patch is available in version 3.7.20.
The impact of CVE-2026-33661 is significant, enabling attackers to manipulate payment processing within applications utilizing the vulnerable library. By sending a crafted HTTP request to the WeChat Pay callback endpoint with a Host: localhost header, an attacker can completely bypass the RSA signature check. This allows them to fabricate payment success notifications, tricking the application into believing a payment has been received when it hasn't. This could result in fraudulent transactions, financial losses for merchants, and potential reputational damage. The blast radius extends to any application relying on yansongda/pay for WeChat Pay integration and failing to implement proper input validation or host header restrictions.
CVE-2026-33661 was publicly disclosed on March 25, 2026. There is currently no indication of active exploitation in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's simplicity suggests it could be easily exploited. The vulnerability's impact on payment processing makes it a high-priority target for attackers.
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33661 is to upgrade to version 3.7.20 or later of the yansongda/pay library. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by validating the Host header in the application code. Specifically, reject any requests with a Host: localhost header when processing WeChat Pay callbacks. Additionally, implement strict input validation on all data received from the WeChat Pay callback endpoint. For web applications, consider implementing a Web Application Firewall (WAF) rule to block requests with the suspicious Host header. After upgrading, confirm the fix by sending a test WeChat Pay callback request and verifying that the signature verification process is functioning correctly.
Update the `yansongda/pay` library to version 3.7.20 or higher. This fixes the signature verification bypass vulnerability in the WeChat Pay callback when the Host header is localhost.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33661 is a HIGH severity vulnerability in the yansongda/pay PHP library where a 'Host: localhost' header bypasses signature verification in WeChat Pay callbacks, allowing forged payment notifications.
You are affected if your application uses yansongda/pay version 3.7.9 or earlier. Check your dependencies and upgrade immediately.
Upgrade to version 3.7.20 or later of the yansongda/pay library. As a temporary workaround, validate the 'Host' header and reject requests with 'Host: localhost'.
There is currently no evidence of active exploitation, but the vulnerability's simplicity makes it a potential target.
Refer to the yansongda/pay GitHub repository for updates and advisories: https://github.com/yansongda/pay
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.