Problem
AuthenticatorData::_readFlags() parses the Backup Eligible (BE, bit 3) and Backup State (BS, bit 4) flags but does not validate the constraint between them.
Per the W3C WebAuthn spec (§6.3.3 Authenticator Data / Level 3 §6.1), the combination BS=1, BE=0 is invalid — a credential cannot claim to be backed up if it is not eligible for backup.
| BE |
BS |
Meaning |
| 0 |
0 |
Not backup eligible, not backed up |
| 1 |
0 |
Backup eligible, not yet backed up |
| 1 |
1 |
Backup eligible, currently backed up |
| 0 |
1 |
Invalid — cannot be backed up without being eligible |
Currently, crafted authenticatorData with BS=1, BE=0 is accepted without error. Relying parties that use getIsBackupEligible() and getIsBackup() for policy decisions could act on an impossible state.
Suggested fix
Add validation in _readFlags() after the named flags are assigned:
if ($flags->isBackup && !$flags->isBackupEligible) {
throw new WebAuthnException('invalid backup flags: BS without BE', WebAuthnException::INVALID_DATA);
}
Problem
AuthenticatorData::_readFlags()parses the Backup Eligible (BE, bit 3) and Backup State (BS, bit 4) flags but does not validate the constraint between them.Per the W3C WebAuthn spec (§6.3.3 Authenticator Data / Level 3 §6.1), the combination
BS=1, BE=0is invalid — a credential cannot claim to be backed up if it is not eligible for backup.Currently, crafted
authenticatorDatawithBS=1, BE=0is accepted without error. Relying parties that usegetIsBackupEligible()andgetIsBackup()for policy decisions could act on an impossible state.Suggested fix
Add validation in
_readFlags()after the named flags are assigned: