fido2-lib Denial-of-Service Vulnerability via CBOR Parsing
The fido2-lib library is vulnerable to a denial-of-service (DoS) attack due to a heap buffer over-read in the cbor-extract dependency when parsing CBOR attestation data, allowing an attacker to crash the server by sending a crafted CBOR payload during WebAuthn registration.
The fido2-lib library, specifically versions 3.x, is susceptible to a denial-of-service (DoS) vulnerability due to a heap buffer over-read within its dependency, cbor-extract. This vulnerability arises during the parsing of CBOR (Concise Binary Object Representation) attestation data within the WebAuthn registration process. The root cause lies in the cbor-extract library (versions <= 2.2.0), which is optionally used by cbor-x (~1.6.0), a dependency of fido2-lib. A crafted 5-byte CBOR payload, when processed, triggers a SIGSEGV signal, causing the Node.js process to crash without any JavaScript exception handling. This issue was fixed in cbor-extract@2.2.1 / cbor-x@1.6.3 (released on 2026-03-08), but fido2-lib@3.5.7 still pins cbor-x to a vulnerable version. This vulnerability is exploitable through a single, unauthenticated request to the WebAuthn registration endpoint.
Attack Chain
- Attacker initiates a WebAuthn registration process on a vulnerable server.
- The server generates a challenge and sends it to the user's authenticator.
- Attacker intercepts the authenticator's registration response (containing the attestation object).
- Attacker replaces the original
attestationObjectin the response with a crafted 5-byte CBOR payload:7a10000000. - Attacker sends the modified registration response to the server's registration verification endpoint via a POST request.
- The server calls the
attestationResult()function infido2-libto verify the attestation. attestationResult()internally callscbor-x.decode()to parse theattestationObject.cbor-x.decode()uses the vulnerablecbor-extractnative addon, which callsextractStrings()during CBOR parsing, leading to a heap buffer over-read and aSIGSEGVsignal, crashing the Node.js process. The attacker achieves denial of service.
Impact
Successful exploitation of this vulnerability results in a denial-of-service condition, crashing the Node.js server. While the exact number of affected systems is unknown, any application using fido2-lib versions up to 3.5.7 with the cbor-extract native addon installed is vulnerable. This can impact any service relying on WebAuthn for authentication, including financial institutions, SaaS providers, and any application requiring strong authentication. A successful attack disrupts service availability and potentially exposes the organization to reputational damage.
Recommendation
- Upgrade the
cbor-xdependency infido2-libto version 1.6.3 or higher to incorporate the fix for the heap buffer over-read, as described in the "Fix" section of this brief. - Monitor Node.js processes for unexpected exits with signal
SIGSEGV(exit code 139) to detect potential exploitation attempts, using the process creation log source. - Implement rate limiting on the WebAuthn registration endpoint to mitigate the impact of potential DoS attacks.
Detection coverage 2
Detect Node.js Process Exit with SIGSEGV
highDetects Node.js processes exiting with a SIGSEGV signal (exit code 139), which can indicate a crash due to memory corruption vulnerabilities like the cbor-extract heap buffer over-read.
Detect CBOR-related process crashing with signal SIGSEGV
highDetects CBOR-related process crashing with signal SIGSEGV
Detection queries are available on the platform. Get full rules →