Summary
The CurlDispatcher in php-embed/Embed defaults both CURLOPT_SSL_VERIFYHOST to 0 and CURLOPT_SSL_VERIFYPEER to false when no explicit settings are provided. All HTTPS requests made through the library are vulnerable to MITM attacks by default.
Code Location
src/Http/CurlDispatcher.php (lines 131-132):
CURLOPT_SSL_VERIFYHOST => $settings['ssl_verify_host'] ?? 0,
CURLOPT_SSL_VERIFYPEER => $settings['ssl_verify_peer'] ?? false,
Impact
The library is used to fetch remote URLs (OEmbed, web page previews, API responses). With the insecure defaults:
- No certificate chain validation
- No hostname matching
- All fetched content and any embedded authentication data can be intercepted by a MITM attacker
Suggested Fix
CURLOPT_SSL_VERIFYHOST => $settings['ssl_verify_host'] ?? 2,
CURLOPT_SSL_VERIFYPEER => $settings['ssl_verify_peer'] ?? true,
Severity
CVSS 3.1: 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CWE-295: Improper Certificate Validation
Summary
The CurlDispatcher in php-embed/Embed defaults both
CURLOPT_SSL_VERIFYHOSTto0andCURLOPT_SSL_VERIFYPEERtofalsewhen no explicit settings are provided. All HTTPS requests made through the library are vulnerable to MITM attacks by default.Code Location
src/Http/CurlDispatcher.php(lines 131-132):Impact
The library is used to fetch remote URLs (OEmbed, web page previews, API responses). With the insecure defaults:
Suggested Fix
Severity
CVSS 3.1: 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CWE-295: Improper Certificate Validation