Jul 8, 2026·5 min read·5 visits
The default WebAuthn fake credential generator uses an empty secret, making decoy credentials predictable and enabling unauthenticated username enumeration.
An information disclosure vulnerability exists in the web-auth/webauthn-lib PHP library when using the default SimpleFakeCredentialGenerator without a configured secret. This allows unauthenticated remote attackers to determine if a username exists on the target application.
The web-auth/webauthn-lib library implements WebAuthn (FIDO2) authentication for PHP applications. A critical defense mechanism in multi-user authentication interfaces is the mitigation of username enumeration. When an unauthenticated request is received, the server must behave consistently whether the user exists or not.
To accomplish this, secure WebAuthn implementations return fake credential descriptors when a user is not found. The SimpleFakeCredentialGenerator class serves as the default library-provided mechanism to generate these decoy descriptors. This ensures the client receives a populated list of allowed credentials in both scenarios.
However, the default implementation generates predictable responses if it is not configured with a secure cryptographic key. An attacker can analyze the returned credentials to determine account existence on the target system. This leads to information disclosure through discrepancies in response values.
The root cause of the vulnerability lies in the implementation of the seed generation algorithm inside Webauthn\SimpleFakeCredentialGenerator. The generator creates a deterministic seed by hashing the username combined with a configured secret key.
When the generator is instantiated, the $secret constructor argument defaults to an empty string. If the application developer does not explicitly provide a high-entropy secret, the seed calculation simplifies to hashing only the attacker-controlled username.
Because the hashing process is entirely deterministic and uses public parameters, an attacker can reproduce the entire generation process locally. By feeding arbitrary usernames into a local simulation of the algorithm, the attacker can precompute the exact fake credential IDs and transport options that the server would return for any non-existent user.
Let us examine the vulnerable constructor signature in the SimpleFakeCredentialGenerator class. The parameter $secret is defined as an optional string parameter with an empty default value.
// Vulnerable implementation in web-auth/webauthn-lib
public function __construct(
private string $secret = '', // Insecure default value
// ... other parameters
) {
}The generation of the decoy descriptors relies on the $secret property. The library uses the hash function with the SHA-256 algorithm to derive the cryptographic seed for the credentials.
// Seed derivation logic
$seed = hash('sha256', $username . $this->secret, true);In version 5.3.5, the vendor mitigated the issue by adding validation and triggering deprecation warnings when an empty secret is detected. Future major versions will enforce a non-empty string requirement.
// Mitigation introduced in version 5.3.5
if ($this->secret === '') {
trigger_deprecation(
'web-auth/webauthn-lib',
'5.3.5',
'Using an empty secret in SimpleFakeCredentialGenerator is deprecated and will be removed in 6.0.0.'
);
}To exploit the vulnerability, an attacker first selects a target email address or username. Using a local copy of the PHP derivation algorithm, the attacker generates the expected decoy credentials for that identity using an empty secret.
The attacker then initiates an authentication session on the target server using the target username. The server processes the request and returns a list of allowed credential descriptors to the client.
The attacker compares the returned list against the precomputed local decoys. If the lists match exactly, the username does not exist on the server. If they differ, the server has returned the real public key credential descriptors belonging to an active account.
Here is a visual overview of this validation discrepancy:
The security impact of this vulnerability is classified as Low with a CVSS score of 2.3. The vulnerability does not allow remote code execution, privilege escalation, or unauthorized access to user accounts.
The primary impact is the complete bypass of the username enumeration defenses implemented by the WebAuthn library. Attackers can reliably build lists of registered users on the target platform by automating queries against the endpoint.
This structured exposure of user presence supports subsequent target reconnaissance campaigns. Attackers can leverage the collected active usernames for highly targeted spear-phishing, credential stuffing, or social engineering attacks.
Organizations using web-auth/webauthn-lib must upgrade to version 5.3.5 or later. This ensures that the application receives proper runtime warnings and prepares the codebase for strict validation in major version 6.0.0.
When utilizing the library programmatically, developers must explicitly pass a cryptographically secure, high-entropy string as the secret parameter. Do not rely on default parameters during instantiation.
If using the Symfony integration, the bundle handles configuration automatically by injecting the application's global secret. Ensure the kernel.secret parameter in your Symfony framework configuration is set to a secure, non-default value.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P| Product | Affected Versions | Fixed Version |
|---|---|---|
web-auth/webauthn-lib web-auth | >= 4.9.0, < 5.3.5 | 5.3.5 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-203 |
| Attack Vector | Network |
| CVSS v4.0 | 2.3 (Low) |
| Exploit Status | Proof-of-Concept |
| Impact | Username Enumeration |
| KEV Status | Not Listed |
The product behaves differently when executing operations with different inputs in a way that exposes sensitive state or information.
A Stored and Reflected Cross-Site Scripting (XSS) vulnerability was identified in the Rust web service library 'rama' prior to version 0.3.0-rc.1. When serving directories using DirectoryServeMode::HtmlFileList, the library improperly escapes directory names, filenames, and request path components before injecting them into dynamically generated HTML files. This allows attackers to execute malicious scripts inside user browser sessions.
The ha-mcp add-on for Home Assistant exposes its settings and security policy routes without authentication at the bare root path of TCP port 9583. This exposure allows unauthorized adjacent network clients to reconfigure tools, alter policies, and bypass human-in-the-loop approval gates. The vulnerability has been addressed in development build 7.6.0.dev393 and subsequent releases by restricting access to root-mounted routes exclusively to the Supervisor Ingress IP.
An authentication freshness bypass vulnerability exists in the WebAuthn re-authentication path of Flask-Security-Too versions 5.8.0 and 5.8.1. The flaw allows an authenticated attacker to elevate the freshness status of a victim session using their own WebAuthn credential, bypassing re-authentication constraints.
A Server-Side Request Forgery (SSRF) vulnerability exists in Weblate's private address validator when the VCS_RESTRICT_PRIVATE setting is enabled. By exploiting IPv6 transition mechanisms, such as NAT64, 6to4, or IPv4-compatible configurations, an attacker can bypass private network boundaries and access internal services.
A security vulnerability in @better-auth/oauth-provider allows OAuth clients to obtain access tokens for unauthorized audiences due to unbound resource indicators. The implementation fails to bind the requested target resource to the initial authorization grant. Consequently, a client can request an access token targeting any resource server within the global allowlist, bypassing user consent boundaries.
A stored cross-site scripting vulnerability exists in the oidc-provider and mcp plugins of Better Auth. Attackers can register malicious clients with javascript: redirect URIs, leading to origin takeover when users authorize the client.