Discourse WebAuthn Challenge Reuse Vulnerability After 2FA Authentication

A vulnerability exists in Discourse, an open-source community discussion platform, in versions prior to 3.4.7 on the stable branch and prior to 3.5.0.beta.8 on the tests-passed branch. The issue arises when a physical security key is used for two-factor authentication (2FA). The server generates a WebAuthn challenge that the client signs, but this challenge is not removed from the user's session after authentication. This oversight could allow the challenge to be reused, posing a security risk.

Impact

The vulnerability could lead to unauthorized reuse of WebAuthn challenges, potentially allowing for repeated authentication actions that should be one-time only, thereby increasing the risk of bypassing security measures.

Reproduction

To reproduce this vulnerability, use a physical security key for two-factor authentication on a Discourse instance running a vulnerable version. After authentication, the WebAuthn challenge will remain in the user's session, allowing for potential reuse.

Remediation

Users can update to Discourse versions 3.4.7 or later on the stable branch, or 3.5.0.beta.8 or later on the tests-passed branch.