Advisories for Composer/Web-Auth/Webauthn-Lib package

2026

Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation

When allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their host and accepts on host match. This makes exact origin policies impossible to express: scheme and port differences are lost for URL-like entries.

2024

The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames

The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found.