Impact
Webauthn\Bundle\Security\Http\Authenticator\WebauthnAuthenticator logs the full Symfony\Component\HttpFoundation\Request object inside the log context of both onAuthenticationSuccess() and onAuthenticationFailure() at INFO level:
$this->logger->info('User has been authenticated successfully with Webauthn.', [
'request' => $request,
'firewallName' => $firewallName,
'identifier' => $token->getUserIdentifier(),
]);
$this->logger->info('Webauthn authentication request failed.', [
'request' => $request,
'exception' => $exception,
]);
Request::__toString() returns the raw HTTP message, including every request header. As soon as the configured logger normalises or stringifies the context (default behaviour for LineFormatter, JsonFormatter via NormalizerFormatter, etc.), sensitive headers such as Cookie (session identifier), Authorization and any custom auth header are written to the log stream in clear text.
Applications that forward logs to centralised platforms (ELK, Splunk, Datadog and similar) are particularly exposed: log access is typically broader than application access, which can allow log readers to hijack authenticated sessions.
Affected versions
Every release prior to 5.3.4 is affected.
Patches
The fix removes the full Request object from the log context and keeps only non-sensitive fields (request path, method, firewall name, user identifier). It is shipped in 5.3.4. Older branches will not receive a backport; users on those branches should upgrade to 5.3.4+ or apply one of the workarounds below.
Workarounds
Until the upgrade is applied, projects can:
- Raise the minimum log level for the WebAuthn authenticator above INFO so these two log records are not emitted in production.
- Configure their Monolog processor/formatter to strip the
request key from the context of these records before they are written.
Credit
Reported by Kay Joosten (Dawn Technology), maintainer of Stepup-Webauthn.
References
Impact
Webauthn\Bundle\Security\Http\Authenticator\WebauthnAuthenticatorlogs the fullSymfony\Component\HttpFoundation\Requestobject inside the log context of bothonAuthenticationSuccess()andonAuthenticationFailure()at INFO level:Request::__toString()returns the raw HTTP message, including every request header. As soon as the configured logger normalises or stringifies the context (default behaviour forLineFormatter,JsonFormatterviaNormalizerFormatter, etc.), sensitive headers such asCookie(session identifier),Authorizationand any custom auth header are written to the log stream in clear text.Applications that forward logs to centralised platforms (ELK, Splunk, Datadog and similar) are particularly exposed: log access is typically broader than application access, which can allow log readers to hijack authenticated sessions.
Affected versions
Every release prior to 5.3.4 is affected.
Patches
The fix removes the full
Requestobject from the log context and keeps only non-sensitive fields (request path, method, firewall name, user identifier). It is shipped in 5.3.4. Older branches will not receive a backport; users on those branches should upgrade to 5.3.4+ or apply one of the workarounds below.Workarounds
Until the upgrade is applied, projects can:
requestkey from the context of these records before they are written.Credit
Reported by Kay Joosten (Dawn Technology), maintainer of Stepup-Webauthn.
References