Description
Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the `verify_wechat_sign()` function in `src/Functions.php` unconditionally skips all signature verification when the PSR-7 request reports `localhost` as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a `Host: localhost` header, bypassing the RSA signature check entirely. This allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment. Version 3.7.20 fixes the issue.
Published: 2026-03-26
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass: Forged Payment Success
Action: Immediate Patch
AI Analysis

Impact

An open‑source payment SDK for Chinese payment services contains a flaw in the signature verification routine that skips all checks when the HTTP Host header is set to localhost. An attacker who can send a crafted request to the WeChat Pay callback endpoint with a Host: localhost header can bypass the RSA signature verification entirely, allowing the attacker to forge a payment success notification and cause an application to record an order as paid without any real transaction.

Affected Systems

The vulnerability affects any installation of the yansongda Pay SDK older than version 3.7.20. When this library exposes a WeChat Pay callback endpoint to external traffic, the skip logic can be triggered by a simple HTTP header manipulation.

Risk and Exploitability

With a CVSS score of 8.6 the flaw is considered high severity, yet its EPSS score is under 1% and it is not listed in the CISA KEV catalog, indicating low current exploitation likelihood. The attack vector is network‑based, requiring only a single crafted HTTP request. Because the bypass depends solely on the Host header, it can be performed remotely without escalating privileges, but the impact is the potential to manipulate financial transactions.

Generated by OpenCVE AI on April 2, 2026 at 04:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the yansongda Pay SDK to version 3.7.20 or later to apply the vendor fix.
  • Verify that the application’s callback handler uses the updated verify_wechat_sign logic and that no legacy code bypasses signature checks.
  • As a temporary workaround, configure the web server or application firewall to reject or remove Host: localhost headers on the WeChat Pay callback endpoint, or restrict the endpoint to trusted IPs.
  • Monitor transaction logs for unexpected payment confirmations that could indicate crafted callback requests.

Generated by OpenCVE AI on April 2, 2026 at 04:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q938-ghwv-8gvc WeChat Pay callback signature verification bypassed when Host header is localhost
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yansongda:pay:*:*:*:*:*:*:*:*

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Yansongda
Yansongda pay
Vendors & Products Yansongda
Yansongda pay

Thu, 26 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the `verify_wechat_sign()` function in `src/Functions.php` unconditionally skips all signature verification when the PSR-7 request reports `localhost` as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a `Host: localhost` header, bypassing the RSA signature check entirely. This allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment. Version 3.7.20 fixes the issue.
Title WeChat Pay callback signature verification bypassed when Host header is localhost
Weaknesses CWE-290
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

Yansongda Pay
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T20:00:56.285Z

Reserved: 2026-03-23T15:23:42.219Z

Link: CVE-2026-33661

cve-icon Vulnrichment

Updated: 2026-03-27T14:12:58.458Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T22:16:29.560

Modified: 2026-04-01T13:47:23.640

Link: CVE-2026-33661

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:18Z

Weaknesses