fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing
fido2-lib v3.x depends on cbor-x (~1.6.0), which optionally pulls in cbor-extract (C++ native addon). cbor-extract <= 2.2.0 has a heap buffer over-read in extractStrings() — a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead. The crash triggers during WebAuthn registration when the server decodes the attestation object. An attacker sends a crafted authenticator response to the registration endpoint — single request, unauthenticated, instant kill. …