New API Passkey-Based Secure Verification Bypass Vulnerability

A logic flaw has been identified in the secure verification process of New API, a large language model gateway and AI asset management system, starting from version 0.10.0. This vulnerability allows an authenticated user with a registered passkey to bypass the WebAuthn assertion requirement for secure verification. As a result, the user can complete the verification process without performing the necessary passkey challenge, potentially leading to unauthorized access to privileged actions that require secure verification.

Impact

Exploitation of this vulnerability bypasses the intended step-up verification for privileged actions, allowing access to sensitive endpoints without proper authentication. In the upstream project, this issue affects actions protected by SecureVerificationRequired(), specifically the root-only POST /api/channel/:id/key endpoint, which discloses stored channel secrets.

Remediation

Until a patched release is available, it is advised not to use passkeys as the step-up method for privileged secure-verification actions. Instead, require TOTP or two-factor authentication for these actions where operationally possible, or temporarily restrict access to endpoints protected by secure verification.