CVE-2020-36474:
SafeCurl before 0.9.2 has a DNS rebinding vulnerability.
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.73753%
CWE
-
Published
8/25/2021
Updated
2/1/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
vanilla/safecurl | composer | < 0.9.2 | 0.9.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from a time-of-check-to-time-of-use (TOCTOU) issue in DNS resolution. The pre-0.9.2 implementation validated hostnames and resolved IPs initially but didn't enforce these resolved IPs during the actual cURL
request execution. The GitHub
pull request #2 adds DNS pinning through CURLOPT_RESOLVE
in the execute()
method, confirming this was the missing protection. The execute()
method's failure to lock DNS results after validation created the window for DNS rebinding attacks.