GHSA-gcfg-hmwx-wq5h: 
PHP vulnerability analysis and mitigation

The Httpful PHP library (nategood/httpful) contains a security vulnerability related to missing default certificate validation in HTTPS connections. The vulnerability affects all versions prior to 1.0.0, where the strict_ssl parameter was set to false by default, potentially allowing insecure HTTPS connections (GitHub Advisory, Security Advisories).

The vulnerability stems from the default configuration in the Request.php file where strictssl was set to false and the initializeDefaults method forced withoutStrictSSL. This configuration effectively disabled SSL/TLS certificate validation by default, making HTTPS connections susceptible to man-in-the-middle attacks. The issue has a CVSS v4 score of 6.9 (Moderate severity) with Network attack vector and Low attack complexity (GitHub Advisory).

When strict SSL verification is disabled, attackers could potentially intercept HTTPS connections between the application and remote servers. This could lead to unauthorized access to sensitive information, as the application would not properly verify the authenticity of SSL certificates, making it vulnerable to man-in-the-middle attacks (GitHub Issue).

The vulnerability has been fixed in version 1.0.0 by changing the default value of strict_ssl to true. Users should upgrade to version 1.0.0 or later to ensure proper certificate validation. For those unable to upgrade immediately, they can manually enable strict SSL verification by calling ->withStrictSSL() on their requests (GitHub Commit).