CVE-2026-25651
client-certificate-auth Vulnerable to Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect
Description
### Summary Versions 0.2.1 and 0.3.0 of `client-certificate-auth` contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated `Host` header, allowing an attacker to redirect users to arbitrary domains. ### Vulnerable Code ```javascript // lib/clientCertificateAuth.js (versions 0.2.1, 0.3.0) if (!req.secure && req.header('x-forwarded-proto') != 'https') { return res.redirect('https://' + req.header('host') + req.url); } ``` ### Attack Scenario 1. Attacker crafts a link: `http://vulnerable-app.example.com/login` 2. When victim clicks, attacker intercepts and injects header: `Host: attacker.com` 3. Server responds: `302 Found → https://attacker.com/login` 4. Victim is redirected to attacker-controlled site ### Impact - **Phishing**: Attackers can use trusted domain links to redirect victims to credential-harvesting pages - **OAuth/SSO Token Theft**: In authentication flows, authorization codes or tokens may leak via redirect - **Referer Leakage**: Sensitive URL parameters may be exposed to attacker domains via the Referer header - **Cache Poisoning**: In deployments with shared caches, malicious redirects may be cached and served to other users ### Exploitability Exploitation requires that HTTP traffic reaches the Node.js application without TLS termination setting `x-forwarded-proto: https`. This condition is uncommon in production deployments behind modern reverse proxies or load balancers, which limits real-world exploitability. ### Fix The vulnerable redirect behavior has been completely removed in version 1.0.0. ```bash npm install client-certificate-auth@^1.0.0 ``` ### Workarounds If upgrading is not immediately possible: 1. Block HTTP traffic at the network/load balancer level 2. Ensure your reverse proxy always sets `x-forwarded-proto: https` 3. Add middleware before `clientCertificateAuth` to validate the `Host` header against an allowlist ### References - [CWE-601: URL Redirection to Untrusted Site](https://cwe.mitre.org/data/definitions/601.html) - [OWASP: Unvalidated Redirects and Forwards](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) - [Fix Commit](https://github.com/tgies/client-certificate-auth/commit/8fc995e953db483495be46862965e50fe9e1cc52)
How to fix CVE-2026-25651
To remediate CVE-2026-25651, upgrade the affected package to a fixed version below.
- —upgrade to 1.0.0 or later