Skip to content

5.2.4

Choose a tag to compare

View all tags
@Spomky Spomky released this 08 Mar 17:26
· 86 commits to 5.3.x since this release
5.2.4
50445d6
This commit was signed with the committer’s verified signature.
Spomky Florent Morselli
GPG key ID: E42758621AB34DFB
Verified
Learn about vigilant mode.

Release Notes for 5.2.4

Security Fix

  • Fixed origin validation bypass in CheckAllowedOrigins (GHSA-f7pm-6hr8-7ggm, CWE-346, CVSS 5.4)

    When allowed_origins was configured, CheckAllowedOrigins reduced URL origins to their host component only, ignoring scheme and port. This allowed a request from a different port (or scheme) to pass origin validation, violating the WebAuthn Level 2 spec requirement for exact origin matching.

    CheckAllowedOrigins now performs full origin comparison (scheme + host + port) with default port normalization (443 for HTTPS, 80 for HTTP). Origins configured without a scheme are still matched by host only for backward compatibility.

    Reported by @dorakemon.

Upgrade

composer update web-auth/webauthn-framework
# or
composer update web-auth/webauthn-lib web-auth/webauthn-symfony-bundle
Assets 2
Loading