Authentication Bypass Using an Alternate Path or Channel in io.quarkus:quarkus-security-webauthn | CVE-2024-12225

Q: How to fix?

Upgrade io.quarkus:quarkus-security-webauthn to version 3.18.0.CR1 or higher.

Introduced: 28 Feb 2025

CVE-2024-12225 (opens in a new tab) CWE-288 (opens in a new tab)

How to fix?

Upgrade io.quarkus:quarkus-security-webauthn to version 3.18.0.CR1 or higher.

Overview

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel through the default REST endpoints. An attacker can bypass authentication controls and potentially log in as an existing user without proper credentials by exploiting these endpoints. This is only exploitable if custom REST endpoints are provided by developers but the default endpoints are not disabled.

Workaround

This vulnerability can be mitigated by disabling the default endpoints after creating a custom one. For example with the call for:

import io.vertx.ext.web.Router;
import jakarta.enterprise.event.Observes;
public class Startup {
public void init(@Observes Router router) {
System.err.println("Securing WebAuthn default controller");
router.post("/q/webauthn/callback").order(0).handler(rc -> rc.fail(404));
}
}

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Authentication Bypass Using an Alternate Path or Channel Affecting io.quarkus:quarkus-security-webauthn package, versions [,3.18.0.CR1)

Severity

Do your applications use this vulnerable package?