DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-GQ4G-FPC9-VJFQ: GHSA-gq4g-fpc9-vjfq: Username Enumeration via Predictable Decoy Credentials in web-auth/webauthn-lib

GHSA-gq4g-fpc9-vjfq: Username Enumeration via Predictable Decoy Credentials in web-auth/webauthn-lib

Vulnerability ID: GHSA-GQ4G-FPC9-VJFQ
CVSS Score: 2.3
Published: 2026-07-07

An information disclosure vulnerability exists in the web-auth/webauthn-lib PHP library when using the default SimpleFakeCredentialGenerator without a configured secret. This allows unauthenticated remote attackers to determine if a username exists on the target application.

TL;DR

The default WebAuthn fake credential generator uses an empty secret, making decoy credentials predictable and enabling unauthenticated username enumeration.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-203
  • Attack Vector: Network
  • CVSS v4.0: 2.3 (Low)
  • Exploit Status: Proof-of-Concept
  • Impact: Username Enumeration
  • KEV Status: Not Listed

Affected Systems

  • web-auth/webauthn-lib
  • web-auth/webauthn-lib: >= 4.9.0, < 5.3.5 (Fixed in: 5.3.5)

Mitigation Strategies

  • Upgrade web-auth/webauthn-lib to version 5.3.5 or higher.
  • Provide a cryptographically secure, deployment-specific secret parameter when initializing SimpleFakeCredentialGenerator.
  • Ensure framework level secrets (such as kernel.secret in Symfony) are properly populated with high-entropy values.

Remediation Steps:

  1. Identify all instantiations of SimpleFakeCredentialGenerator within the application code.
  2. Modify the construction logic to retrieve a secure secret from environmental variables.
  3. Deploy the updated codebase and verify that no deprecation warnings are emitted during authentication requests.

References


Read the full report for GHSA-GQ4G-FPC9-VJFQ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)