Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#47575] - Draft: [6.1] Harden webauthn unserialize calls

Pending

User tests: Successful: Unsuccessful:

avatar SniperSister
SniperSister
11 Apr 2026
  • I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

This PR sets expected classes for the unserialize calls in the webauthn code. That prevents PHP object injection vectors if - for whatever reason - the encodedOptions are ever user provided.

Thx to Neel Baggam for reporting.

Testing Instructions

Apply patch, use webauthn to authenticate.

Actual result BEFORE applying this Pull Request

  • Webauthn works

Expected result AFTER applying this Pull Request

  • Webauthn works

Link to documentations

Please select:

  • Documentation link for guide.joomla.org:

  • No documentation changes for guide.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar SniperSister SniperSister - open - 11 Apr 2026
avatar SniperSister SniperSister - change - 11 Apr 2026
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 11 Apr 2026
Category Front End Plugins
avatar exlemor exlemor - test_item - 14 Apr 2026 - Tested successfully
avatar exlemor
exlemor - comment - 14 Apr 2026

I have tested this item ✅ successfully on 32e6528

I have tested this successfully. Thanks @SniperSister!

Webauthn works well BEFORE and AFTER.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47575.

avatar SniperSister SniperSister - change - 14 Apr 2026
Title
[6.1] Harden webauthn unserialize calls
Draft: [6.1] Harden webauthn unserialize calls
avatar SniperSister SniperSister - edited - 14 Apr 2026

Add a Comment

Login with GitHub to post a comment