GHSA-m557-wrgg-6rp4: Server-Side Request Forgery via Authority Information Access (AIA) Chasing in phpseclib

The PHP Secure Communications Library (phpseclib) is a pure-PHP implementation of cryptographic and public-key infrastructure primitives. Within its X.509 validation module, File/X509.php, the library supports dynamic path validation to construct complete certificate trust chains. If a validated certificate is signed by an intermediate certificate authority that is not present in the local trust store, the library tries to retrieve the missing certificate dynamically.

This behavior, defined as Authority Information Access (AIA) Chasing under RFC 4325, parses the id-pe-authorityInfoAccess extension inside the certificate to locate the parent CA URI. When an application parses an untrusted certificate containing this extension, phpseclib extracts the URI specified in the id-ad-caIssuers access method and issues an HTTP GET request to download the issuer's certificate.

However, because dynamic AIA chasing was enabled by default without destination validation, the implementation introduces a Server-Side Request Forgery (SSRF) vulnerability. An attacker capable of submitting or uploading a crafted certificate to an application using phpseclib can fully control the destination host, port, and query string of the resulting outbound HTTP request. The lack of destination restrictions means that the server can be forced to connect to internal systems, loopback interfaces, or cloud metadata endpoints.

The root cause of GHSA-m557-wrgg-6rp4 is a structural vulnerability arising from three compounding deficiencies: input trust issues, unsafe default behavior, and a lack of egress verification. The primary failure is the direct ingestion and parsing of unvalidated metadata from untrusted sources. Because the id-pe-authorityInfoAccess extension resides within the certificate body itself, any attacker can specify an arbitrary URL during certificate generation.

During signature evaluation, the validation pipeline triggers testForIntermediate() to find parent certificates. The library parses the certificate's extensions, extracts the value of the uniformResourceIdentifier inside the AIA structure, and passes it directly to the static method fetchURL(). No validation is performed on the host or scheme before this transition.

Finally, the fetchURL() method uses PHP's native fsockopen() function to establish a raw TCP connection to the extracted destination. Prior to the remediation, the static Boolean property $disable_url_fetch was initialized to false by default, activating dynamic HTTP requests out-of-the-box. Furthermore, fetchURL() lacks any destination restrictions or loopback blocklists, leaving the validating server vulnerable to arbitrary intranet interactions.

In affected versions of phpseclib, the dynamic fetching process begins inside File/X509.php when the signature validation engine fails to find a pre-loaded local issuer. The code extracts the target URL and directly initiates a socket handshake via fetchURL() without structural checks on the destination address.

// Vulnerable logic in File/X509.php prior to remediation
private static function fetchURL(string $url): ?string
{ 
    if (self::$disable_url_fetch) { // Default is false
        return null;
    }
    $parts = parse_url($url);
    if (!isset($parts['scheme']) || !isset($parts['host'])) {
        return null;
    }
    switch ($parts['scheme']) {
        case 'http':
            // Open socket to arbitrary host and port controlled by the attacker
            $fsock = @fsockopen($parts['host'], $parts['port'] ?? 80, $errno, $errstr, 5);
            if (!$fsock) {
                return null;
            }
            $path = ($parts['path'] ?? '/') . (isset($parts['query']) ? '?' . $parts['query'] : '');
            fputs($fsock, "GET $path HTTP/1.0\r\n");
            fputs($fsock, "Host: $parts[host]\r\n\r\n");
            ...

The remediation introduces a mechanism to intercept and validate or entirely block these outbound requests. In versions 1.0.30, 2.0.55, and 3.0.54, a callback execution pattern is established, allowing developers to define custom egress filtering.

// Remediated logic in File/X509.php introducing callback delegation
private static $url_fetch_callback = null;
 
public static function setURLFetchCallback(callable $callback)
{ 
    self::$url_fetch_callback = $callback;
}
 
private static function fetchURL(string $url): ?string
{ 
    if (self::$disable_url_fetch) {
        return null;
    }
    // If a custom validation callback is registered, delegate handling
    if (is_callable(self::$url_fetch_callback)) {
        return call_user_func(self::$url_fetch_callback, $url);
    }
    
    // Standard fallback logic applies restricted handling or blocks fetching
    ...

To exploit GHSA-m557-wrgg-6rp4, an attacker must target an application interface that parses and validates client-supplied certificates, such as WebID-TLS endpoints, S/MIME message processors, or SAML metadata upload endpoints. The attacker prepares a leaf certificate and configures the AIA extension field to point to an internal resource or port.

Once the application processes the certificate and triggers $x509->validateSignature(), phpseclib parses the extension and extracts the target URI. The validation execution triggers an outbound GET request to the target URI regardless of whether the signature eventually fails to validate. This provides an attacker with a blind SSRF capability, allowing them to map internal networks or interact with unauthenticated REST endpoints.

The CVSS v3.1 vector string is evaluated as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N, yielding a Moderate severity score of 5.8. Because the Scope parameter is set to Changed (S:C), the vulnerability is characterized by its potential to cross security boundaries—such as transitioning from a public web server context to an isolated internal administrative domain.

In cloud environments, attackers can target the link-local address 169.254.169.254. This allows access to Instance Metadata Services (IMDSv1) on AWS, Azure, or Google Cloud, which frequently contain active IAM credentials, configuration parameters, or environment variables. Exposure of these endpoints can lead to full host or cloud account compromise.

In local environments, this flaw facilitates internal network mapping and port scanning. Attackers can execute HTTP requests to local database sockets, Redis instances (127.0.0.1:6379), or internal administrative utilities. Because the HTTP response is parsed solely for X.509 compatibility, direct data extraction is minimized, but request-forgery actions (such as sending command payloads via URI parameters) remain fully viable.

Remediation requires upgrading the phpseclib/phpseclib dependency to the designated secure versions: 1.0.30, 2.0.55, or 3.0.54. These releases introduce the capability to intercept dynamic fetches and implement proper host validation.

If immediate upgrading is not possible, developers must explicitly call X509::disableURLFetch() prior to parsing or validating untrusted certificates. This permanently deactivates dynamic fetching, preventing the execution of fetchURL() during signature validation.

For systems where dynamic AIA chasing is a business requirement, developers using the patched releases must invoke X509::setURLFetchCallback() to register a custom verification hook. This hook must validate that target hostnames do not resolve to local loopback ranges, private class subnets (RFC 1918), or link-local targets (RFC 3927) before allowing the socket connection to proceed.