CVE-2026-33661
Signature Verification Bypass in Pay SDK Enables Payment Forgery
Publication date: 2026-03-26
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yansongda | pay | to 3.7.20 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Pay open-source payment SDK extension package for Chinese payment services. Before version 3.7.20, the function verify_wechat_sign() in the source code would skip all signature verification if the incoming HTTP request reported 'localhost' as the host.
An attacker can exploit this by sending a specially crafted HTTP request to the WeChat Pay callback endpoint with a 'Host: localhost' header. This causes the system to bypass the RSA signature verification entirely.
As a result, the attacker can forge fake WeChat Pay payment success notifications, potentially tricking the application into marking orders as paid even though no real payment was made.
This issue was fixed in version 3.7.20 of the SDK.
How can this vulnerability impact me? :
This vulnerability can have a significant impact by allowing attackers to bypass payment verification.
Specifically, attackers can send fake payment success notifications to your application, causing it to incorrectly mark orders as paid without any actual payment.
This can lead to financial losses, fraud, and disruption of business operations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade the Pay SDK to version 3.7.20 or later, where the issue with skipping signature verification for requests with Host: localhost is fixed.
Additionally, as a temporary measure, ensure that your application does not accept or trust HTTP requests with a Host header set to localhost on the WeChat Pay callback endpoint.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the WeChat Pay callback endpoint and checking for requests that include a 'Host: localhost' header. Such requests indicate an attempt to bypass signature verification.
You can use network monitoring or web server access logs to identify suspicious requests with the 'Host: localhost' header targeting the callback endpoint.
Example commands to detect such requests include:
- Using grep on web server logs: grep -i 'Host: localhost' /path/to/access.log
- Using tcpdump to capture HTTP traffic and filter for 'Host: localhost': sudo tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Host: localhost'
- Using curl to test the endpoint manually: curl -H 'Host: localhost' http://yourserver/wechatpay/callback
If such requests are found, it indicates potential exploitation attempts of this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to bypass signature verification and forge fake payment success notifications, potentially causing applications to mark orders as paid without actual payment.
Such unauthorized payment processing could lead to financial discrepancies and undermine data integrity, which may impact compliance with standards and regulations that require accurate transaction records and secure processing, such as GDPR and HIPAA.
However, the provided information does not explicitly describe the direct effects on compliance with these standards.