CVE-2026-25651
Open Redirect in client-certificate-auth Middleware Allows Arbitrary Redirects
Publication date: 2026-02-06
Last updated on: 2026-02-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tgies | client-certificate-auth | From 0.2.1 (inc) to 1.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include upgrading the client-certificate-auth package to version 1.0.0 or later, where the vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, the following mitigations are recommended:'}, {'type': 'list_item', 'content': 'Block HTTP traffic at the network or load balancer level to prevent unencrypted requests reaching the vulnerable middleware.'}, {'type': 'list_item', 'content': 'Ensure reverse proxies always set the x-forwarded-proto header to "https" to avoid triggering the vulnerable redirect logic.'}, {'type': 'list_item', 'content': 'Add middleware before clientCertificateAuth to validate the Host header against an allowlist of trusted domains.'}] [2]
Can you explain this vulnerability to me?
CVE-2026-25651 is an open redirect vulnerability in the client-certificate-auth middleware for Node.js, specifically in versions 0.2.1 and 0.3.0. The middleware redirects HTTP requests to HTTPS by using the Host header from the request without validating it. Because the Host header can be controlled by an attacker, this allows the attacker to redirect users to arbitrary, potentially malicious domains.
The vulnerable code concatenates the unvalidated Host header directly into the redirect URL, enabling an attacker to craft a malicious link that causes the server to respond with a redirect to an attacker-controlled domain.
How can this vulnerability impact me? :
This vulnerability can be exploited to perform several malicious actions including:
- Phishing attacks by redirecting users from trusted domains to malicious credential-harvesting sites.
- OAuth or Single Sign-On (SSO) token theft through leakage of authorization codes or tokens during authentication redirects.
- Referer header leakage that exposes sensitive URL parameters to attacker-controlled domains.
- Cache poisoning in shared cache environments, causing malicious redirects to be served to other users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Node.js application using client-certificate-auth middleware redirects HTTP requests to HTTPS using an unvalidated Host header. Specifically, look for HTTP responses with 302 redirects where the Location header contains an unexpected or attacker-controlled domain.'}, {'type': 'paragraph', 'content': 'One way to test this is to send an HTTP request with a manipulated Host header and observe if the redirect points to the injected domain.'}, {'type': 'paragraph', 'content': 'Example command using curl to test for the vulnerability:'}, {'type': 'list_item', 'content': 'curl -I -H "Host: attacker.com" http://vulnerable-app.example.com/login'}, {'type': 'paragraph', 'content': 'If the Location header in the response redirects to https://attacker.com/login, the vulnerability is present.'}] [2]