GHSA-h4fw-6r7f-w494 LOW composer/web-auth/webauthn-framework

CVE:

Summary

In version 5.3.0 of the Symfony bundle, Webauthn\Bundle\Policy\ClientOverridePolicy defaulted to allowing all client overrides, including userVerification. A client could send {"userVerification": "discouraged"} in the assertion or attestation options request to override a server-configured userVerification: required, causing the emitted WebAuthn options to instruct the authenticator to skip user verification. The CheckUserVerification ceremony step then read the same downgraded options and skipped its check.

Affected versions

• Vulnerable: 5.3.0
• Patched: 5.3.1

5.3.0 was released on 2026-05-01 and 5.3.1 was published roughly 18 hours later, on 2026-05-02. Practical exposure window was minimal.

Note on earlier 5.x versions

Versions 5.0.0 to 5.2.x did not ship ClientOverridePolicy (introduced in 5.3.0), so the exact code path described above does not apply. However, on those versions the ProfileBasedRequestOptionsBuilder and ProfileBasedCreationOptionsBuilder already passed the client-supplied userVerification value directly to the options factory, where the profile value is only applied via ??=. The functional outcome (a client can downgrade userVerification) is the same. The recommended mitigation (see below) applies regardless of the version, and users on 5.0.x – 5.2.x are encouraged to upgrade to 5.3.1 or later.

Severity

This is a defense-in-depth issue rather than a primitive that grants authentication on its own:

• The attacker must already possess the victim's authenticator (a stolen security key, an unlocked device). Without that, the downgrade is inconsequential.
• The framework exposes the actual UV outcome on the returned authenticator data (AuthenticatorData::isUserVerified()). Applications that gate sensitive operations on this flag — as documented — remain protected even on the vulnerable version.

Mitigation

Applications gating sensitive operations on user verification MUST re-check

📌 来源: GitHub-Advisory | 📅 2026-05-07