GHSA-g3qj-j598-cxmq: fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing
fido2-lib v3.x depends on cbor-x (~1.6.0), which optionally pulls in cbor-extract (C++ native addon). cbor-extract <= 2.2.0 has a heap buffer over-read in extractStrings() — a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead.
The crash triggers during WebAuthn registration when the server decodes the attestation object. An attacker sends a crafted authenticator response to the registration endpoint — single request, unauthenticated, instant kill.
Fixed in cbor-extract@2.2.1 / cbor-x@1.6.3 (2026-03-08). fido2-lib@3.5.7 still pins cbor-x ~1.6.0 which resolves to vulnerable cbor-extract.
References
- github.com/advisories/GHSA-g3qj-j598-cxmq
- github.com/kriszyp/cbor-extract/commit/1f6e0d9704149bdb5531d25f5d08a0280a71e2ca
- github.com/kriszyp/cbor-extract/issues/2
- github.com/kriszyp/cbor-extract/issues/3
- github.com/webauthn-open-source/fido2-lib
- github.com/webauthn-open-source/fido2-lib/security/advisories/GHSA-g3qj-j598-cxmq
Code Behaviors & Features
Detect and mitigate GHSA-g3qj-j598-cxmq with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →