| Titel | hybridauth >2.2.0 Improper Certificate Validation (CWE-295) |
|---|
| Beschreibung | # Summary
The default cURL configuration in src/HttpClient/Curl.php disables SSL certificate verification, making applications vulnerable to man-in-the-middle (MITM) attacks during OAuth/OIDC authentication flows.
Affected Code
https://github.com/hybridauth/hybridauth/blob/d5667267011ff3fc8409ab239afddc623c6311fe/src/HttpClient/Curl.php#L23-L33
```
protected $curlOptions = [
CURLOPT_TIMEOUT => 30,
CURLOPT_CONNECTTIMEOUT => 30,
CURLOPT_SSL_VERIFYPEER => false, // Verification disabled
CURLOPT_SSL_VERIFYHOST => false, // Host checking disabled
// ... other options
];
```
Maintainers were contacted on 2026-02-01 via email, followed up on 2026-02-20. An issue was created to alert them of a potential problem https://github.com/hybridauth/hybridauth/issues/1444 (no vuln details publicly disclosed). |
|---|
| Benutzer | jstyles (UID 96251) |
|---|
| Einreichung | 09.03.2026 04:12 (vor 2 Monaten) |
|---|
| Moderieren | 22.03.2026 10:40 (13 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 352423 [HybridAuth bis 3.12.2 SSL src/HttpClient/Curl.php curlOptions schwache Authentisierung] |
|---|
| Punkte | 17 |
|---|