CVE-2026-55599
MediumCVSS 5.8Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
The phpseclib library up to versions 1.0.30, 2.0.55, and 3.0.54 by default fetches a URL from the Authority Information Access (AIA) extension of an untrusted X.509 certificate during validation. An attacker can supply a certificate with a controlled host, port, and path, leading to a server-side request forgery (SSRF) vulnerability.
Risk Assessment
An unauthenticated attacker can force the validating server to make connections to internal hosts and ports, such as loopback (127.0.0.1), cloud metadata address (169.254.169.254), or internal-only services, potentially leading to privilege escalation or data exfiltration.
Recommendation
Immediately update the phpseclib library to version 1.0.30, 2.0.55, or 3.0.54. If an update is not possible, disable the default URL fetching from the AIA extension in the library configuration.
Original NVD description (English source)
phpseclib is a PHP secure communications library. From 0.1.1 until 1.0.30, 2.0.55, and 3.0.54, when an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature() reads a URL out of that certificate's Authority Information Access (AIA) extension and connects to it. Attacker who supplies certificate fully controls host, port, and path of that connection. URL fetching is enabled by default, and no destination is blocked. An unauthenticated attacker can therefore make a validating server open connections to internal hosts and ports it should never reach, for example loopback 127.0.0.1, cloud metadata address 169.254.169.254, and internal-only services. This is a server-side request forgery (SSRF) caused by an insecure default. This vulnerability is fixed in 1.0.30, 2.0.55, and 3.0.54.

