fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing
- Severity:
- High
Description
fido2-lib v3.x depends on cbor-x (~1.6.0), which optionally pulls in cbor-extract (C++ native addon). cbor-extract <= 2.2.0 has a heap buffer over-read in extractStrings() — a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead.
Recommendation
Update the fido2-lib package to the latest compatible version. Followings are version details:
- Affected version(s): <= 3.5.7
- Patched version(s): 3.5.8
References
Related Issues
- Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering) - Vulnerability
- Cube Core is vulnerable to Denial of Service (DoS) via crafted request - CVE-2026-25957
- node-opcua DoS vulnerability via message with memory allocation that exceeds v8's memory limit - CVE-2022-25231
- Finance.js vulnerable to DoS via the IRR function’s depth parameter - CVE-2025-56571
You might also like:
- Tags:
- npm
- fido2-lib
Anything's wrong? Let us know Last updated on March 24, 2026