GHSA-g3qj-j598-cxmq

Summary

fido2-lib v3.x depends on cbor-x (~1.6.0), which optionally pulls in cbor-extract (C++ native addon). cbor-extract <= 2.2.0 has a heap buffer over-read in extractStrings() — a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead.

The crash triggers during WebAuthn registration when the server decodes the attestation object. An attacker sends a crafted authenticator response to the registration endpoint — single request, unauthenticated, instant kill.

Fixed in cbor-extract@2.2.1 / cbor-x@1.6.3 (2026-03-08). fido2-lib@3.5.7 still pins cbor-x ~1.6.0 which resolves to vulnerable cbor-extract.

Affected versions

fido2-lib <= 3.5.7 (introduced cbor-x dependency). fido2-lib 2.x uses the old cbor package — not affected.

Only affects systems where cbor-extract native addon is installed (prebuilt binary available for platform). Pure JS fallback is safe.

PoC

const { decode } = require("cbor-x");
decode(Buffer.from("7a10000000", "hex")); // exit code 139 (SIGSEGV)

CBOR text string header claiming 268MB in a 5-byte buffer. extractStrings() in extract.cpp line 87 calls readString() without bounds check. Reads past buffer into unmapped memory.

In context: attacker intercepts WebAuthn registration response, replaces attestationObject with the 5-byte payload, POSTs to the registration verification endpoint. Server calls attestationResult() → cbor-x.decode() → cbor-extract → SIGSEGV.

Fix

Bump cbor-x to >= 1.6.3 (which pulls cbor-extract >= 2.2.1).

-"cbor-x": "~1.6.0"
+"cbor-x": "^1.6.3"

— Malik X (@Xvush)