Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include upgrading the client-certificate-auth package to version 1.0.0 or later, where the vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, the following mitigations are recommended:'}, {'type': 'list_item', 'content': 'Block HTTP traffic at the network or load balancer level to prevent unencrypted requests reaching the vulnerable middleware.'}, {'type': 'list_item', 'content': 'Ensure reverse proxies always set the x-forwarded-proto header to "https" to avoid triggering the vulnerable redirect logic.'}, {'type': 'list_item', 'content': 'Add middleware before clientCertificateAuth to validate the Host header against an allowlist of trusted domains.'}] [2]

Useful 0 Not Useful 0

Executive Summary

CVE-2026-25651 is an open redirect vulnerability in the client-certificate-auth middleware for Node.js, specifically in versions 0.2.1 and 0.3.0. The middleware redirects HTTP requests to HTTPS by using the Host header from the request without validating it. Because the Host header can be controlled by an attacker, this allows the attacker to redirect users to arbitrary, potentially malicious domains.

The vulnerable code concatenates the unvalidated Host header directly into the redirect URL, enabling an attacker to craft a malicious link that causes the server to respond with a redirect to an attacker-controlled domain.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited to perform several malicious actions including:

• Phishing attacks by redirecting users from trusted domains to malicious credential-harvesting sites.
• OAuth or Single Sign-On (SSO) token theft through leakage of authorization codes or tokens during authentication redirects.
• Referer header leakage that exposes sensitive URL parameters to attacker-controlled domains.
• Cache poisoning in shared cache environments, causing malicious redirects to be served to other users.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Node.js application using client-certificate-auth middleware redirects HTTP requests to HTTPS using an unvalidated Host header. Specifically, look for HTTP responses with 302 redirects where the Location header contains an unexpected or attacker-controlled domain.'}, {'type': 'paragraph', 'content': 'One way to test this is to send an HTTP request with a manipulated Host header and observe if the redirect points to the injected domain.'}, {'type': 'paragraph', 'content': 'Example command using curl to test for the vulnerability:'}, {'type': 'list_item', 'content': 'curl -I -H "Host: attacker.com" http://vulnerable-app.example.com/login'}, {'type': 'paragraph', 'content': 'If the Location header in the response redirects to https://attacker.com/login, the vulnerability is present.'}] [2]

Useful 0 Not Useful 0