Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-gq4g-fpc9-vjfq: Webauthn: SimpleFakeCredentialGenerator with an empty secret produces predictable fake credentials, weakening username enumeration protection

0
Low
Published: 07/07/2026 (07/07/2026, 23:39:43 UTC)
Source: GCVE Database
Product: web-auth/webauthn-lib

Description

The Webauthn library's SimpleFakeCredentialGenerator, when instantiated without a secret, produces predictable fake credentials based solely on the username. This predictability allows attackers to distinguish between real and fake usernames, defeating the intended username enumeration protection. The issue affects versions from 4.9.0 up to but not including 5.3.5. The default Symfony bundle configuration is not affected as it injects a non-empty secret. The vulnerability is considered low severity since it only re-enables username enumeration and does not affect the validity of responses.

CVSS v4.0

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Vuln. Confidentiality
Low
Vuln. Integrity
None
Vuln. Availability
None
Subsq. Confidentiality
None
Subsq. Integrity
None
Subsq. Availability
None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

Affected software

Packagistghsa
web-auth/webauthn-lib
Affected versions
>=4.9.0 <5.3.5

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/08/2026, 13:41:02 UTC

Technical Analysis

The SimpleFakeCredentialGenerator in the web-auth/webauthn-lib library generates decoy PublicKeyCredentialDescriptor objects to mitigate username enumeration by making assertion requests for unknown users indistinguishable from real ones. However, when constructed without a secret (default is an empty string), the seed for generating decoys depends solely on the attacker-controlled username. This allows an unauthenticated attacker to reproduce the exact decoy list and determine if a username exists. The defect lies in the empty default secret, not the algorithm itself. The issue affects versions >=4.9.0 and <5.3.5. The vulnerability was fixed in version 5.3.5 by requiring a non-empty secret and emitting deprecation warnings for empty secrets. The Symfony bundle is unaffected by default as it uses a non-empty application secret.

Potential Impact

The vulnerability allows attackers to perform username enumeration by comparing the predictable fake credential responses generated without a secret. This undermines the username enumeration protection mechanism but does not affect the validity or security of actual credentials or authentication. The impact is limited to information disclosure about the existence of usernames.

Mitigation Recommendations

A fix is available in version 5.3.5 of web-auth/webauthn-lib. Users should upgrade to 5.3.5 or later. Until then, ensure that SimpleFakeCredentialGenerator is constructed with a non-empty, deployment-specific secret (e.g., the application secret). The Symfony bundle is not affected by default as it injects a non-empty secret. The library emits deprecation warnings when constructed without a secret to help detect misconfigurations. Providing a custom FakeCredentialGenerator implementation seeded with a secret is also a valid workaround.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-gq4g-fpc9-vjfq
Osv Schema Version
1.4.0
Aliases
[]
Ecosystems
["Packagist"]
Database Specific Severity
LOW
Cvss Version
4.0

Threat ID: 6a4e4ee7c9d9e3dbe3289b61

Added to database: 07/08/2026, 13:21:43 UTC

Last enriched: 07/08/2026, 13:41:02 UTC

Last updated: 07/09/2026, 03:23:25 UTC

Views: 7

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses