fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing
- Severity:
- High
Description
fido2-lib v3.x depends on cbor-x (~1.6.0), which optionally pulls in cbor-extract (C++ native addon). cbor-extract <= 2.2.0 has a heap buffer over-read in extractStrings() — a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead.
Recommendation
Update the fido2-lib package to the latest compatible version. Followings are version details:
- Affected version(s): <= 3.5.7
- Patched version(s): 3.5.8
References
Related Issues
- Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - Vulnerability
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- node-opcua DoS vulnerability via message with memory allocation that exceeds v8's memory limit - CVE-2022-25231
- Cube Core is vulnerable to Denial of Service (DoS) via crafted request - CVE-2026-25957
- Tags:
- npm
- fido2-lib
Anything's wrong? Let us know Last updated on March 24, 2026