Advisory Database
  • Advisories
  • Dependency Scanning
  1. composer
  2. ›
  3. web-auth/webauthn-lib
  4. ›
  5. GHSA-gq4g-fpc9-vjfq

GHSA-gq4g-fpc9-vjfq: Webauthn: SimpleFakeCredentialGenerator with an empty secret produces predictable fake credentials, weakening username enumeration protection

July 7, 2026

Webauthn\SimpleFakeCredentialGenerator is the library-provided default implementation of the FakeCredentialGenerator interface. It returns a stable list of decoy PublicKeyCredentialDescriptor objects for a given username so that an assertion request for an unknown user looks the same as a request for a real one, which mitigates username enumeration.

The generator derives the whole decoy list from a single seed:

$seed = hash('sha256', $username . $this->secret, true);

When it is constructed without a secret (its constructor default, $secret = ''), the seed depends only on the username. The username is attacker-chosen and the algorithm is public, so an unauthenticated requester can recompute the exact, byte-for-byte decoy list the server returns for any username. The attacker then compares a probed username’s response against the locally computed list and decides whether the account is real or fake, which is precisely the distinction the mechanism is meant to hide.

With any non-empty secret the seed becomes a value the attacker cannot evaluate and the mitigation holds. The defect is the empty default, not the algorithm.

References

  • github.com/advisories/GHSA-gq4g-fpc9-vjfq
  • github.com/web-auth/webauthn-framework/security/advisories/GHSA-gq4g-fpc9-vjfq

Code Behaviors & Features

Detect and mitigate GHSA-gq4g-fpc9-vjfq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 4.9.0 before 5.3.5

Fixed versions

  • 5.3.5

Solution

Upgrade to version 5.3.5 or above.

Impact 5.3 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Learn more about CVSS

Weakness

  • CWE-204: Observable Response Discrepancy
  • CWE-330: Use of Insufficiently Random Values

Source file

packagist/web-auth/webauthn-lib/GHSA-gq4g-fpc9-vjfq.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 08 Jul 2026 12:19:06 +0000.