Package Instance

fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing
### Summary
fido2-lib v3.x depends on cbor-x (~1.6.0), which optionally pulls in cbor-extract (C++ native addon). cbor-extract <= 2.2.0 has a heap buffer over-read in `extractStrings()` — a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead.

The crash triggers during WebAuthn registration when the server decodes the attestation object. An attacker sends a crafted authenticator response to the registration endpoint — single request, unauthenticated, instant kill.

Fixed in cbor-extract@2.2.1 / cbor-x@1.6.3 (2026-03-08). fido2-lib@3.5.7 still pins cbor-x ~1.6.0 which resolves to vulnerable cbor-extract.

## Affected versions

fido2-lib <= 3.5.7 (introduced cbor-x dependency). fido2-lib 2.x uses the old `cbor` package — not affected.

Only affects systems where `cbor-extract` native addon is installed (prebuilt binary available for platform). Pure JS fallback is safe.

## PoC

```js
const { decode } = require("cbor-x");
decode(Buffer.from("7a10000000", "hex")); // exit code 139 (SIGSEGV)
```

CBOR text string header claiming 268MB in a 5-byte buffer. `extractStrings()` in extract.cpp line 87 calls `readString()` without bounds check. Reads past buffer into unmapped memory.

In context: attacker intercepts WebAuthn registration response, replaces `attestationObject` with the 5-byte payload, POSTs to the registration verification endpoint. Server calls `attestationResult()` → `cbor-x.decode()` → `cbor-extract` → SIGSEGV.

## Fix

Bump cbor-x to >= 1.6.3 (which pulls cbor-extract >= 2.2.1).

```diff
-"cbor-x": "~1.6.0"
+"cbor-x": "^1.6.3"
```

— Malik X (@Xvush)