PT-2026-39163 · Crates.Io · Webauthn-Authenticator-Rs+1
Published
2026-05-06
·
Updated
2026-05-06
CVSS v4.0
2.3
Low
| Vector | AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
webauthn-rs-core ([Relying Party][rp]) and webauthn-authenticator-rs ([client][]) checked that [an Origin in CollectedClientData][origin] is valid for [an RP ID][rpid] with [str::ends with()][ends-with], without checking for a dot (.) before the RP ID when allowing subdomains.This check is flawed, and could allow requests from an attacker-controlled domain such as
hermit-crab.example to be accepted for the RP ID crab.example (assuming .example was publicly-registerable TLD) when the RP allows authenticating from a subdomain (disabled by default in webauthn-rs-core and webauthn-rs).[ends-with]: https://doc.rust-lang.org/stable/std/primitive.str.html#method.ends with
[client]: https://www.w3.org/TR/webauthn-3/#client
[rp]: https://www.w3.org/TR/webauthn-3/#relying-party
[rpid]: https://www.w3.org/TR/webauthn-3/#rp-id
[origin]: https://www.w3.org/TR/webauthn-3/#dom-collectedclientdata-origin
- In
webauthn-rs-core, this only applies when: - [
WebauthnCore::allow subdomains origin](https://docs.rs/webauthn-rs-core/0.5.4/webauthn rs core/struct.WebauthnCore.html#method.new unsafe experts only) istrue(the default isfalse), and - the attacker could register a domain that ends with the RP ID as a raw string, and,
- the client does not implement these checks correctly either
webauthn-rs can set allow subdomains origin via [WebauthnBuilder::allow subdomains](https://docs.rs/webauthn-rs/0.5.4/webauthn rs/struct.WebauthnBuilder.html#method.allow subdomains). Fixing the bug in webauthn-rs-core also fixes it in webauthn-rs.- In
webauthn-authenticator-rs, the flawed check is in [WebauthnAuthenticator::do registration()](https://docs.rs/webauthn-authenticator-rs/0.5.4/webauthn authenticator rs/struct.WebauthnAuthenticator.html#method.do registration) and [do authentication()](https://docs.rs/webauthn-authenticator-rs/0.5.4/webauthn authenticator rs/struct.WebauthnAuthenticator.html#method.do registration).
A conforming [Relying Party][rp] implementation would reject such requests, but
webauthn-rs-core did not.An application can still provide an incorrect
origin parameter to webauthn-authenticator-rs, or use lower-level APIs that bypass these checks entirely, and this is by design.Details
webauthn-rs-core/src/core.rsline 1213:
webauthn-authenticator-rs/src/lib.rsline 274:
webauthn-authenticator-rs/src/lib.rsline 335:
[
str::ends with()][ends-with] performs a raw string suffix match without enforcing a domain label boundary:| Origin | RP ID | Expected result | Result with incorrect ends with check |
|---|---|---|---|
hermit-crab.example | crab.example | rejected | accepted (bug!) |
auth.crab.example | crab.example | accepted | accepted (subdomain) |
crab.example | crab.example | accepted | accepted (exact match) |
hermit-crab.example | auth.crab.example | rejected | rejected |
auth.crab.example | auth.crab.example | accepted | accepted (exact match) |
Fix
When
webauthn-rs-core v0.5.5 checks if an Origin is a valid subdomain of an RP ID, it will check that it ends with the RP ID prefixed with a dot (.{rp id}). webauthn-rs v0.5.5 will be fixed by depending on webauthn-rs-core v0.5.5.webauthn-authenticator-rs v0.5.5 now uses webauthn-rs-core's checks in WebauthnAuthenticator.Regression tests for this bug have been added to both libraries.
Impact
With a both a non-conforming [client][] implementation and vulnerable version of
webauthn-rs-core configured to allow subdomains (not the default), this bug would allow an attacker at hermit-crab.example to phish a target's credential for the RP ID crab.example by directly proxying a legitimate navigator.credentials.get() request on the attacker's domain.However, conforming [client implementations][client] (ie: all web browsers) will refuse to process WebAuthn requests for an RP ID that does not match the
Origin of the current page and is not a related Origin.In the scenario above with conforming client-side checks, this would force the attacker to change the request's RP ID to
hermit-crab.example (the attacker's Origin). This would also change the RP ID hash, and webauthn-rs-core would reject it (per WebAuthn §7.2 Step 15).Severity
Per WebAuthn §13.4.9:
The Relying Party MUST NOT accept unexpected values of origin, as doing so could allow a malicious website to obtain valid credentials. Although the scope of WebAuthn credentials prevents their use on domains outside the RP ID they were registered for, the Relying Party’s origin validation serves as an additional layer of protection in case a faulty authenticator fails to enforce credential scope.
Unfortunately, the chain needed to exploit this bug makes it difficult to classify with the CVSS framework. Kanidm came up with anywhere between "low" and "high" depending on the approach, and GitHub only provides one CVSS field for everything.
An attacker could easily bypass a correctly-implemented server-side
Origin check, if they can convince a target to use their authenticator with an attacker-controlled client device or buggy/malicious client application. FIDO's Security Reference assumes that "the FIDO user device and applications involved in a FIDO operation are trustworthy agents of the user", and violating that limits the protections FIDO can provide, so it would be ridiculous to describe those bypasses as a "high" severity vulnerability.However,
webauthn-rs-core should take reasonable steps to prevent these sorts of issues where it can, especially when they're part of the WebAuthn specification.Due to the complex preconditions and non-default configuration required to execute a successful attack, and that it is not exploitable in popular web browsers, Kanidm considers this a low severity issue.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Webauthn-Authenticator-Rs
Webauthn-Rs-Core