The web-auth webauthn-framework is a PHP library and Symfony bundle that facilitates integration of WebAuthn authentication into web applications. Prior to version 5.2.4, when the allowed_origins configuration was set, the framework's CheckAllowedOrigins function performed origin validation by reducing URL-like values to their host component only. This means that the scheme (e.g., http vs https) and port number were ignored during origin checks. As a result, the origin validation was incomplete and allowed origin policies could not be precisely enforced. An attacker could exploit this by crafting requests from origins that share the same host but differ in scheme or port, bypassing origin restrictions. This vulnerability is classified under CWE-346 (Origin Validation Error). The CVSS 3.1 base score is 5.4 (medium severity), reflecting that the vulnerability is remotely exploitable without privileges but requires user interaction and results in limited confidentiality and integrity impact without affecting availability. The flaw could lead to unauthorized authentication or cross-origin request forgery scenarios, undermining the security guarantees of WebAuthn implementations relying on this library. The issue was addressed in version 5.2.4 by enforcing exact origin matching that includes scheme and port, restoring strict origin policy enforcement.

The vulnerability undermines the origin validation mechanism critical to WebAuthn authentication flows, potentially allowing attackers to bypass origin restrictions. This can lead to unauthorized authentication attempts, session hijacking, or cross-origin attacks that compromise user credentials or session integrity. Organizations using vulnerable versions of the webauthn-framework may face increased risk of account takeover or impersonation attacks. The impact is primarily on confidentiality and integrity of authentication processes, with no direct availability impact. Because WebAuthn is increasingly adopted for strong passwordless authentication, exploitation could erode trust in authentication security and expose sensitive user accounts. The vulnerability affects any web application integrating the vulnerable library versions, especially those exposed to untrusted networks or users. While no known exploits are reported, the ease of exploitation due to lack of required privileges and remote accessibility makes timely remediation important to prevent potential attacks.

Organizations should upgrade the web-auth webauthn-framework to version 5.2.4 or later, where the origin validation logic correctly enforces exact origin matching including scheme and port. Until upgrade is possible, developers should implement additional server-side origin checks that verify the full origin string rather than just the host component. Security teams should audit their WebAuthn implementations to confirm they do not rely solely on host-based origin validation. Web application firewalls (WAFs) can be configured to detect and block suspicious cross-origin requests that do not match expected schemes and ports. Monitoring authentication logs for unusual origin patterns or failed authentication attempts from unexpected origins can help detect exploitation attempts. Educating developers about the importance of strict origin validation in WebAuthn flows is also recommended to prevent similar issues.