fix(deps): bump web-auth/webauthn-lib from 4.9.2 to v5 - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
web-auth/webauthn-lib (source)	^4.9.2 → ^5.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation

CVE-2026-30964 / GHSA-f7pm-6hr8-7ggm

More information

Details

Summary

When allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their host and accepts on host match. This makes exact origin policies impossible to express: scheme and port differences are lost for URL-like entries.

Details

CheckAllowedOrigins stores each configured allowed origin as:

• parse_url($allowedOrigin)['host'] ?? $allowedOrigin

and later reduces the received clientDataJSON.origin the same way:

• parse_url($C->origin)['host'] ?? $C->origin

If the reduced value matches, the method returns early. As a result, for the normal allowed_origins path, the later HTTPS check is not reached.

This differs from WebAuthn Level 2, which requires verifying that C.origin matches the RP’s origin, separately from verifying that authData.rpIdHash matches the expected RP ID.

Code:

• CheckAllowedOrigins.php
• CeremonyStepManagerFactoryCompilerPass.php

Spec:

• WebAuthn Level 2 - §7.1 Registering a New Credential
• WebAuthn Level 2 - §7.2 Verifying an Authentication Assertion
• WebAuthn Level 2 - RP ID definition / origin constraints
• WebAuthn Level 2 - CollectedClientData.origin

PoC

Configuration:

webauthn:
  allowed_origins:
    - https://login.example.com:8443
  allow_subdomains: false

Send a registration or authentication response whose clientDataJSON.origin is:

https://login.example.com:9443

Observed result:
the response is accepted by CheckAllowedOrigins, because both values are reduced to login.example.com.

Expected result:
the response should be rejected, because https://login.example.com:8443 and https://login.example.com:9443 are different origins.

Impact

This is an origin validation error affecting deployments that use allowed_origins.

It bypasses the separate exact-origin check required by WebAuthn. The most practical browser-facing example is same-host / different-port origin confusion. In non-browser or custom clients, scheme confusion for URL-like entries may also be relevant.

Severity

• CVSS Score: 5.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References

• https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-f7pm-6hr8-7ggm
• https://nvd.nist.gov/vuln/detail/CVE-2026-30964
• https://github.com/web-auth/webauthn-framework/commit/535cc3c2dcbd9c3dfd5e00a254ad4a984e5e7839
• https://github.com/web-auth/webauthn-framework/commit/b4cd9a4394c35fcac6080fd2f84f4f58a30abc01
• https://github.com/web-auth/webauthn-framework

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

web-auth/webauthn-lib (web-auth/webauthn-lib)

v5.2.4

Compare Source

v5.2.3

Compare Source

v5.2.2

Compare Source

v5.2.1

Compare Source

v5.2.0

Compare Source

v5.1.3

Compare Source

v5.1.2

Compare Source

v5.1.1

Compare Source

v5.1.0

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

v4.9.3

Compare Source

---

Configuration

📅 Schedule: Branch creation - "before 7am every weekday" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock

Command failed: composer update web-auth/webauthn-lib:5.2.4 --with-dependencies --ignore-platform-req=ext-* --ignore-platform-req=lib-* --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins --minimal-changes
Loading composer repositories with package information
Dependency psr/log is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires web-auth/webauthn-lib ^5.0.0 -> satisfiable by web-auth/webauthn-lib[5.2.4].
    - web-auth/webauthn-lib 5.2.4 requires php >=8.2 -> your php version (8.1.0; overridden via config.platform, same as actual) does not satisfy that requirement.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.

[DerDreschner]

@ChristophWurst Do you know why it was autoclosed? 🤔

[DerDreschner]

@ChristophWurst The server uses the library as well. So, I think it makes more sense to make the shift to the latest version on both repositories together.