Skip to content

v13.3.2

Latest

Choose a tag to compare

@MasterKale MasterKale released this 24 Jun 05:13
803d1da

This update fixes a CVSS v4 Low (2.0) security vulnerability identified in @simplewebauthn/server. See the security advisory linked below for more information.

Changes:

  • [server] Fixed an issue with verifyRegistrationResponse() allowing a maliciously-crafted attestation statement's x5c to contain a self-signed "root certificate" instead of chaining back to an RP-specified trust anchor (GHSA-6hxq-p678-4hr2)