GHSA-G3QJ-J598-CXMQ
Vulnerability from github – Published: 2026-03-24 19:10 – Updated: 2026-03-24 19:10Summary
fido2-lib v3.x depends on cbor-x (~1.6.0), which optionally pulls in cbor-extract (C++ native addon). cbor-extract <= 2.2.0 has a heap buffer over-read in extractStrings() — a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead.
The crash triggers during WebAuthn registration when the server decodes the attestation object. An attacker sends a crafted authenticator response to the registration endpoint — single request, unauthenticated, instant kill.
Fixed in cbor-extract@2.2.1 / cbor-x@1.6.3 (2026-03-08). fido2-lib@3.5.7 still pins cbor-x ~1.6.0 which resolves to vulnerable cbor-extract.
Affected versions
fido2-lib <= 3.5.7 (introduced cbor-x dependency). fido2-lib 2.x uses the old cbor package — not affected.
Only affects systems where cbor-extract native addon is installed (prebuilt binary available for platform). Pure JS fallback is safe.
PoC
const { decode } = require("cbor-x");
decode(Buffer.from("7a10000000", "hex")); // exit code 139 (SIGSEGV)
CBOR text string header claiming 268MB in a 5-byte buffer. extractStrings() in extract.cpp line 87 calls readString() without bounds check. Reads past buffer into unmapped memory.
In context: attacker intercepts WebAuthn registration response, replaces attestationObject with the 5-byte payload, POSTs to the registration verification endpoint. Server calls attestationResult() → cbor-x.decode() → cbor-extract → SIGSEGV.
Fix
Bump cbor-x to >= 1.6.3 (which pulls cbor-extract >= 2.2.1).
-"cbor-x": "~1.6.0"
+"cbor-x": "^1.6.3"
— Malik X (@Xvush)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.5.7"
},
"package": {
"ecosystem": "npm",
"name": "fido2-lib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126",
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T19:10:38Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nfido2-lib v3.x depends on cbor-x (~1.6.0), which optionally pulls in cbor-extract (C++ native addon). cbor-extract \u003c= 2.2.0 has a heap buffer over-read in `extractStrings()` \u2014 a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead.\n\nThe crash triggers during WebAuthn registration when the server decodes the attestation object. An attacker sends a crafted authenticator response to the registration endpoint \u2014 single request, unauthenticated, instant kill.\n\nFixed in cbor-extract@2.2.1 / cbor-x@1.6.3 (2026-03-08). fido2-lib@3.5.7 still pins cbor-x ~1.6.0 which resolves to vulnerable cbor-extract.\n\n## Affected versions\n\nfido2-lib \u003c= 3.5.7 (introduced cbor-x dependency). fido2-lib 2.x uses the old `cbor` package \u2014 not affected.\n\nOnly affects systems where `cbor-extract` native addon is installed (prebuilt binary available for platform). Pure JS fallback is safe.\n\n## PoC\n\n```js\nconst { decode } = require(\"cbor-x\");\ndecode(Buffer.from(\"7a10000000\", \"hex\")); // exit code 139 (SIGSEGV)\n```\n\nCBOR text string header claiming 268MB in a 5-byte buffer. `extractStrings()` in extract.cpp line 87 calls `readString()` without bounds check. Reads past buffer into unmapped memory.\n\nIn context: attacker intercepts WebAuthn registration response, replaces `attestationObject` with the 5-byte payload, POSTs to the registration verification endpoint. Server calls `attestationResult()` \u2192 `cbor-x.decode()` \u2192 `cbor-extract` \u2192 SIGSEGV.\n\n## Fix\n\nBump cbor-x to \u003e= 1.6.3 (which pulls cbor-extract \u003e= 2.2.1).\n\n```diff\n-\"cbor-x\": \"~1.6.0\"\n+\"cbor-x\": \"^1.6.3\"\n```\n\n\u2014 Malik X (@Xvush)",
"id": "GHSA-g3qj-j598-cxmq",
"modified": "2026-03-24T19:10:38Z",
"published": "2026-03-24T19:10:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/webauthn-open-source/fido2-lib/security/advisories/GHSA-g3qj-j598-cxmq"
},
{
"type": "WEB",
"url": "https://github.com/kriszyp/cbor-extract/issues/2"
},
{
"type": "WEB",
"url": "https://github.com/kriszyp/cbor-extract/issues/3"
},
{
"type": "WEB",
"url": "https://github.com/kriszyp/cbor-extract/commit/1f6e0d9704149bdb5531d25f5d08a0280a71e2ca"
},
{
"type": "PACKAGE",
"url": "https://github.com/webauthn-open-source/fido2-lib"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.