Advisories for Composer/Web-Auth/Webauthn-Framework package

In version 5.3.0 of the Symfony bundle, Webauthn\Bundle\Policy\ClientOverridePolicy defaulted to allowing all client overrides, including userVerification. A client could send {"userVerification": "discouraged"} in the assertion or attestation options request to override a server-configured userVerification: required, causing the emitted WebAuthn options to instruct the authenticator to skip user verification. The CheckUserVerification ceremony step then read the same downgraded options and skipped its check.

When allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their host and accepts on host match. This makes exact origin policies impossible to express: scheme and port differences are lost for URL-like entries.

The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found.

Webauthn Framework has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.