| 제목 | hybridauth >2.2.0 Improper Certificate Validation (CWE-295) |
|---|
| 설명 | # Summary
The default cURL configuration in src/HttpClient/Curl.php disables SSL certificate verification, making applications vulnerable to man-in-the-middle (MITM) attacks during OAuth/OIDC authentication flows.
Affected Code
https://github.com/hybridauth/hybridauth/blob/d5667267011ff3fc8409ab239afddc623c6311fe/src/HttpClient/Curl.php#L23-L33
```
protected $curlOptions = [
CURLOPT_TIMEOUT => 30,
CURLOPT_CONNECTTIMEOUT => 30,
CURLOPT_SSL_VERIFYPEER => false, // Verification disabled
CURLOPT_SSL_VERIFYHOST => false, // Host checking disabled
// ... other options
];
```
Maintainers were contacted on 2026-02-01 via email, followed up on 2026-02-20. An issue was created to alert them of a potential problem https://github.com/hybridauth/hybridauth/issues/1444 (no vuln details publicly disclosed). |
|---|
| 사용자 | jstyles (UID 96251) |
|---|
| 제출 | 2026. 03. 09. AM 04:12 (2 개월 ago) |
|---|
| 모더레이션 | 2026. 03. 22. AM 10:40 (13 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 352423 [HybridAuth 까지 3.12.2 SSL src/HttpClient/Curl.php curlOptions 약한 인증] |
|---|
| 포인트들 | 17 |
|---|