webauthn is vulnerable to Improper Input Validation
43
Medium Risk
The parse_cbor helper decodes CBOR from WebAuthn attestation and authenticator responses without rejecting duplicate map keys. Because Python treats True and integer 1 as the same dictionary key, a crafted response can silently overwrite COSE key parameters such as kty, causing an EC2 key structure to be interpreted as an RSA key. The same duplicate-key collision can downgrade the attestation format (for example packed to none) or swap the declared curve, undermining verification of the response. The fix decodes CBOR with allow_duplicate_keys=False so responses containing duplicate map keys are rejected as invalid.
You are affected if you are using a version that falls within the vulnerable range.
webauthn is vulnerable to Improper Input Validation in versions 1.0.0 - 2.8.0.
Upgrade the webauthn library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant