GHSA-22w3-693w-x895 - webauthn-rs-core/webauthn-authenticator-rs: Origin validation mismatch possible
GHSA-22w3-693w-x895 - webauthn-rs-core/webauthn-authenticator-rs: Origin validation mismatch possible
GHSA-22w3-693w-x895 LOW rust/webauthn-rs-core
CVE:
Summary
webauthn-rs-core ([Relying Party][rp]) and webauthn-authenticator-rs ([client][]) checked that [an Origin in CollectedClientData][origin] is valid for [an RP ID][rpid] with [str::ends_with()][ends-with], [without checking for a dot (.) before the RP ID when allowing subdomains][registerable-suffix].
This check is flawed, and could allow requests from an attacker-controlled domain such as hermit-crab.example to be accepted for the RP ID crab.example (assuming .example was publicly-registerable TLD) when the RP allows authenticating from a subdomain (disabled by default in webauthn-rs-core and webauthn-rs).
[registerable-suffix]: https://html.spec.whatwg.org/multipage/browsers.html#is-a-registrable-domain-suffix-of-or-is-equal-to
[ends-with]: https://doc.rust-lang.org/stable/std/primitive.str.html#method.ends_with
[client]: https://www.w3.org/TR/webauthn-3/#client
[rp]: https://www.w3.org/TR/webauthn-3/#relying-party
[rpid]: https://www.w3.org/TR/webauthn-3/#rp-id
[origin]: https://www.w3.org/TR/webauthn-3/#dom-collectedclientdata-origin
- In
webauthn-rs-core, this only applies when:
* WebauthnCore::allow_subdomains_origin is true (the default is false), *and*
* the attacker could register a domain that ends with the RP ID as a raw string, *and*,
* the client does not implement these checks correctly either
webauthn-rs can set allow_subdomains_origin via WebauthnBuilder::allow_subdomains. Fixing the bug in webauthn-rs-core also fixes it in webauthn-rs.
- In
webauthn-authenticator-rs, the flawed check is inWebauthnAuthenticator::do_registration()and [
📌 来源: GitHub-Advisory | 📅 2026-05-06