Improper Validation of Unsafe Equivalence in Input Affecting webauthn-rs-core package, versions <0.5.5>=0.6.0-dev <0.6.1-dev
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-WEBAUTHNRSCORE-16624659
- published10 May 2026
- disclosed6 May 2026
- creditdorakemon
Introduced: 6 May 2026
New CVE NOT AVAILABLE CWE-1289 (opens in a new tab)How to fix?
Upgrade webauthn-rs-core to version 0.5.5, 0.6.1-dev or higher.
Overview
Affected versions of this package are vulnerable to Improper Validation of Unsafe Equivalence in Input in the do_registration and do_authentication functions when subdomain origin validation is enabled and the client implementation does not properly enforce origin checks. An attacker can gain unauthorized access to credentials by registering a domain that ends with the relying party ID and proxying legitimate authentication requests. This is only exploitable if subdomain origin validation is enabled (not the default), the attacker can register a domain with a suffix matching the RP ID, and the client implementation does not correctly enforce origin validation.