Update dependency web-auth/webauthn-lib to v5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
web-auth/webauthn-lib (source)	^4 → ^5

GitHub Vulnerability Alerts

CVE-2026-30964

Summary

When allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their host and accepts on host match. This makes exact origin policies impossible to express: scheme and port differences are lost for URL-like entries.

Details

CheckAllowedOrigins stores each configured allowed origin as:

• parse_url($allowedOrigin)['host'] ?? $allowedOrigin

and later reduces the received clientDataJSON.origin the same way:

• parse_url($C->origin)['host'] ?? $C->origin

If the reduced value matches, the method returns early. As a result, for the normal allowed_origins path, the later HTTPS check is not reached.

This differs from WebAuthn Level 2, which requires verifying that C.origin matches the RP’s origin, separately from verifying that authData.rpIdHash matches the expected RP ID.

Code:

• CheckAllowedOrigins.php
• CeremonyStepManagerFactoryCompilerPass.php

Spec:

• WebAuthn Level 2 - §7.1 Registering a New Credential
• WebAuthn Level 2 - §7.2 Verifying an Authentication Assertion
• WebAuthn Level 2 - RP ID definition / origin constraints
• WebAuthn Level 2 - CollectedClientData.origin

PoC

Configuration:

webauthn:
  allowed_origins:
    - https://login.example.com:8443
  allow_subdomains: false

Send a registration or authentication response whose clientDataJSON.origin is:

https://login.example.com:9443

Observed result:
the response is accepted by CheckAllowedOrigins, because both values are reduced to login.example.com.

Expected result:
the response should be rejected, because https://login.example.com:8443 and https://login.example.com:9443 are different origins.

Impact

This is an origin validation error affecting deployments that use allowed_origins.

It bypasses the separate exact-origin check required by WebAuthn. The most practical browser-facing example is same-host / different-port origin confusion. In non-browser or custom clients, scheme confusion for URL-like entries may also be relevant.

---

Release Notes

web-auth/webauthn-lib (web-auth/webauthn-lib)

v5.2.4

Compare Source

v5.2.3

Compare Source

v5.2.2

Compare Source

v5.2.1

Compare Source

v5.2.0

Compare Source

v5.1.3

Compare Source

v5.1.2

Compare Source

v5.1.1

Compare Source

v5.1.0

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[deepsource-io]

DeepSource Code Review

We reviewed changes in 140c6c7...9ef489d on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
PHP		Mar 10, 2026 4:40a.m.	Review ↗