GHSA-gq4g-fpc9-vjfq: Username Enumeration via Predictable Decoy Credentials in web-auth/webauthn-lib
Vulnerability ID: GHSA-GQ4G-FPC9-VJFQ
CVSS Score: 2.3
Published: 2026-07-07
An information disclosure vulnerability exists in the web-auth/webauthn-lib PHP library when using the default SimpleFakeCredentialGenerator without a configured secret. This allows unauthenticated remote attackers to determine if a username exists on the target application.
TL;DR
The default WebAuthn fake credential generator uses an empty secret, making decoy credentials predictable and enabling unauthenticated username enumeration.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-203
- Attack Vector: Network
- CVSS v4.0: 2.3 (Low)
- Exploit Status: Proof-of-Concept
- Impact: Username Enumeration
- KEV Status: Not Listed
Affected Systems
- web-auth/webauthn-lib
-
web-auth/webauthn-lib: >= 4.9.0, < 5.3.5 (Fixed in:
5.3.5)
Mitigation Strategies
- Upgrade web-auth/webauthn-lib to version 5.3.5 or higher.
- Provide a cryptographically secure, deployment-specific secret parameter when initializing SimpleFakeCredentialGenerator.
- Ensure framework level secrets (such as kernel.secret in Symfony) are properly populated with high-entropy values.
Remediation Steps:
- Identify all instantiations of SimpleFakeCredentialGenerator within the application code.
- Modify the construction logic to retrieve a secure secret from environmental variables.
- Deploy the updated codebase and verify that no deprecation warnings are emitted during authentication requests.
References
- GitHub Security Advisory GHSA-gq4g-fpc9-vjfq
- Vulnerability Report on web-auth/webauthn-framework
- Web-auth Framework Main Repository
Read the full report for GHSA-GQ4G-FPC9-VJFQ on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)