WebAuthn Framework Origin Validation Vulnerability in Allowed Origins Configuration

A vulnerability exists in the WebAuthn PHP libraries and Symfony bundle, specifically in versions prior to 5.2.4. When the 'allowed_origins' setting is used, the 'CheckAllowedOrigins' component improperly reduces URL-like origins to just their host names, ignoring crucial details like the scheme and port. This flaw creates confusion between origins that are technically different but appear the same when only the host is considered. The issue is particularly relevant in browser environments, where same-host but different-port origins can be mistakenly treated as identical.

Impact

The vulnerability leads to incorrect origin validation, allowing responses from origins that should be rejected based on the WebAuthn specification. This could result in accepting authentication or registration responses from origins that are not properly authorized, creating potential security risks.

Reproduction

To reproduce this vulnerability, configure the 'allowed_origins' setting to include a URL with a specific port, such as 'https://example.com:8443'. Then, send a client response with an origin that matches the host but uses a different port, like 'https://example.com:9443'. The response will be incorrectly accepted, demonstrating the origin validation flaw.

Remediation

Users can upgrade to WebAuthn Framework version 5.2.4 or later to address this vulnerability. Instructions for updating can be found in the WebAuthn Framework repository on GitHub.