CVE-2024-39912
📋 TL;DR
This vulnerability in web-auth/webauthn-lib allows attackers to enumerate valid usernames when WebAuthn is used as the primary authentication method. By observing whether the 'allowedCredentials' property is present in assertion options responses, attackers can determine which usernames exist in the system. All applications using vulnerable versions of this library for WebAuthn authentication are affected.
💻 Affected Systems
- web-auth/webauthn-lib
- web-auth/webauthn-bundle
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers can enumerate all valid usernames, enabling targeted credential stuffing, phishing, or social engineering attacks against known valid accounts.
Likely Case
Attackers identify valid usernames to focus brute-force or credential stuffing attacks, increasing success rates for account compromise.
If Mitigated
With proper monitoring and rate limiting, impact is limited to information disclosure about username existence without direct account access.
🎯 Exploit Status
Exploitation requires no authentication and involves simple API calls to observe response differences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9.0
Vendor Advisory: https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-875x-g8p7-5w27
Restart Required: No
Instructions:
1. Update composer.json to require 'web-auth/webauthn-lib' version '^4.9.0'. 2. Run 'composer update web-auth/webauthn-lib'. 3. Clear Symfony cache if using the bundle: 'php bin/console cache:clear'.
🔧 Temporary Workarounds
No known workarounds
allThe vendor advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Implement rate limiting on WebAuthn assertion endpoints to prevent automated username enumeration.
- Add WebAuthn as a secondary authentication factor only, not as the primary authentication method.
🔍 How to Verify
Check if Vulnerable:
Check composer.lock for 'web-auth/webauthn-lib' version. If version is below 4.9.0 and WebAuthn is used as primary auth, the system is vulnerable.Check Version:
composer show web-auth/webauthn-lib | grep versionsVerify Fix Applied:
Verify composer.lock shows 'web-auth/webauthn-lib' version 4.9.0 or higher. Test that assertion options responses no longer leak username existence information.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of WebAuthn assertion requests to the same endpoint
- Multiple failed WebAuthn authentication attempts with different usernames
Network Indicators:
- HTTP requests to WebAuthn assertion endpoints with varying username parameters
- Pattern of requests checking for username existence
SIEM Query:
source='web_auth_logs' AND (endpoint LIKE '%assertion%' OR endpoint LIKE '%webauthn%') AND count(username) > threshold GROUP BY username🔗 References
- https://github.com/web-auth/webauthn-framework/commit/64de11f6cddc71e56c76e0cc4573bf94d02be045
- https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-875x-g8p7-5w27
- https://github.com/web-auth/webauthn-framework/commit/64de11f6cddc71e56c76e0cc4573bf94d02be045
- https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-875x-g8p7-5w27
