Symfony Webauthn Bundle, User Verification Downgrade, GHSA-h4fw-6r7f-w494 (Low)

By /

Listen to this Post

Technical Explanation of the Vulnerability

  1. The vulnerability exists in Symfony Webauthn Bundle version 5.3.0.
  2. In this version, `ClientOverridePolicy` defaulted to allowing all client overrides.
  3. This includes the `userVerification` parameter, which controls whether user verification (e.g., PIN or biometric) is required.
  4. A malicious client can send a request with `{“userVerification”: “discouraged”}` in the assertion or attestation options request.

5. This overrides the server-configured `userVerification: required` value.

  1. The emitted WebAuthn options then instruct the authenticator to skip user verification entirely.
  2. The `CheckUserVerification` ceremony step reads the same downgraded options.
  3. Consequently, the ceremony step also skips its verification check.
  4. This allows an attacker with physical possession of the victim’s authenticator to bypass the user verification requirement.
  5. Versions 5.0.0 to 5.2.x do not include ClientOverridePolicy, but they are still vulnerable via a similar path in the request options builders.
  6. In older versions, client-supplied `userVerification` is passed directly to the options factory.
  7. The profile value is applied only via the `??=` operator, leaving the client able to downgrade the setting.
  8. The severity is considered low because the attacker must already have the victim’s authenticator (e.g., a stolen security key).
  9. Additionally, the framework exposes the actual user verification outcome via AuthenticatorData::isUserVerified().
  10. Applications that gate sensitive operations on this flag remain protected even on the vulnerable version.
  11. The fix changes `ClientOverridePolicy::canOverride()` to default to `false` instead of true.
  12. The Symfony bundle DI configuration now disables user verification overrides by default.
  13. The `allowed_values` list excludes `discouraged` even when an operator opts in.
  14. The vulnerability was reported by @offset and patched in version 5.3.1.
  15. Users on any version from 5.0.0 to 5.3.0 should upgrade to 5.3.1 or later.

DailyCVE Form

Platform: Symfony Webauthn Bundle
Version: 5.3.0
Vulnerability: UV Downgrade
Severity: Low
Date: 2026-05-01

Prediction: Patch 2026-05-02

Analytics under heading What Undercode Say:

Check installed version of web-auth/webauthn-framework
composer show web-auth/webauthn-framework
Verify if ClientOverridePolicy is vulnerable (true = vulnerable)
grep -r "ClientOverridePolicy::canOverride" vendor/webauthn/webauthn-bundle/
Check for userVerification downgrade attempts in logs
grep "userVerification.discouraged" var/log/webauthn.log
Apply the patch by upgrading to version 5.3.1
composer update web-auth/webauthn-framework:5.3.1
After upgrade, verify that overrides are disabled
php bin/console debug:config webauthn user_verification_overrides
Run a security check to confirm the fix
symfony check:security

Exploit:

  1. Gain physical access to the target user’s authenticator (e.g., a YubiKey or a device with built-in WebAuthn).
  2. Initiate a WebAuthn assertion or attestation request to the Symfony application.
  3. Intercept the request and modify the JSON body to include "userVerification": "discouraged".

4. Forward the modified request to the server.

  1. The server accepts the override and generates WebAuthn options with user verification disabled.
  2. Complete the authentication ceremony without providing a PIN or biometric verification.
  3. The server’s `CheckUserVerification` step skips the validation, granting access.

Protection from this CVE

  • Immediately upgrade to version 5.3.1 or later of the `web-auth/webauthn-framework` bundle.
  • If an immediate upgrade is not possible, add an explicit application‑level check for the return flag: 
    if (! $authenticatorData->isUserVerified()) {
throw new AccessDeniedHttpException('User verification is required.');
}
  • Ensure that sensitive operations are gated on the actual user verification outcome, not on the requested options.
  • Monitor logs for requests containing `”userVerification”: “discouraged”` to detect potential exploitation attempts.
  • For versions 5.0.0–5.2.x, the same mitigation applies, but upgrading to 5.3.1 is strongly encouraged.

Impact

  • An attacker with physical access to a user’s WebAuthn authenticator can bypass user verification (e.g., PIN or biometric check).
  • This weakens two‑factor authentication, potentially allowing unauthorized access to high‑risk operations.
  • The impact is mitigated if the application already checks `AuthenticatorData::isUserVerified()` after a successful ceremony.
  • The exposure window is minimal (approximately 18 hours) due to the fast patch release.
  • No direct remote exploitation is possible without possession of the authenticator, which limits the overall risk.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top