In eduMFA < 2.9.1 userless Passkey/WebAuthn challenges might be replayed and do not expire
Fixed in eduMFA >= 2.9.1 by adding validity information to the userless challenges.
No known workarounds besides disabling userless login altogether.
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.7 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-j5rm-v3vh-vx94 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| pip | edumfa | < 2.9.1 | 2.9.1 | — |