| Titre | hybridauth >2.2.0 Improper Certificate Validation (CWE-295) |
|---|
| Description | # Summary
The default cURL configuration in src/HttpClient/Curl.php disables SSL certificate verification, making applications vulnerable to man-in-the-middle (MITM) attacks during OAuth/OIDC authentication flows.
Affected Code
https://github.com/hybridauth/hybridauth/blob/d5667267011ff3fc8409ab239afddc623c6311fe/src/HttpClient/Curl.php#L23-L33
```
protected $curlOptions = [
CURLOPT_TIMEOUT => 30,
CURLOPT_CONNECTTIMEOUT => 30,
CURLOPT_SSL_VERIFYPEER => false, // Verification disabled
CURLOPT_SSL_VERIFYHOST => false, // Host checking disabled
// ... other options
];
```
Maintainers were contacted on 2026-02-01 via email, followed up on 2026-02-20. An issue was created to alert them of a potential problem https://github.com/hybridauth/hybridauth/issues/1444 (no vuln details publicly disclosed). |
|---|
| Utilisateur | jstyles (UID 96251) |
|---|
| Soumission | 09/03/2026 04:12 (il y a 2 mois) |
|---|
| Modérer | 22/03/2026 10:40 (13 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 352423 [HybridAuth jusqu’à 3.12.2 SSL src/HttpClient/Curl.php curlOptions authentification faible] |
|---|
| Points | 17 |
|---|