CVE-2026-25651
Unknown Unknown - Not Provided

Open Redirect in client-certificate-auth Middleware Allows Arbitrary Redirects

Vulnerability report for CVE-2026-25651, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-06

Last updated on: 2026-02-24

Assigner: GitHub, Inc.

Description

client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains. This vulnerability is fixed in 1.0.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-06
Last Modified
2026-02-24
Generated
2026-07-06
AI Q&A
2026-02-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tgies client-certificate-auth From 0.2.1 (inc) to 1.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include upgrading the client-certificate-auth package to version 1.0.0 or later, where the vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, the following mitigations are recommended:'}, {'type': 'list_item', 'content': 'Block HTTP traffic at the network or load balancer level to prevent unencrypted requests reaching the vulnerable middleware.'}, {'type': 'list_item', 'content': 'Ensure reverse proxies always set the x-forwarded-proto header to "https" to avoid triggering the vulnerable redirect logic.'}, {'type': 'list_item', 'content': 'Add middleware before clientCertificateAuth to validate the Host header against an allowlist of trusted domains.'}] [2]

Executive Summary

CVE-2026-25651 is an open redirect vulnerability in the client-certificate-auth middleware for Node.js, specifically in versions 0.2.1 and 0.3.0. The middleware redirects HTTP requests to HTTPS by using the Host header from the request without validating it. Because the Host header can be controlled by an attacker, this allows the attacker to redirect users to arbitrary, potentially malicious domains.

The vulnerable code concatenates the unvalidated Host header directly into the redirect URL, enabling an attacker to craft a malicious link that causes the server to respond with a redirect to an attacker-controlled domain.

Impact Analysis

This vulnerability can be exploited to perform several malicious actions including:

  • Phishing attacks by redirecting users from trusted domains to malicious credential-harvesting sites.
  • OAuth or Single Sign-On (SSO) token theft through leakage of authorization codes or tokens during authentication redirects.
  • Referer header leakage that exposes sensitive URL parameters to attacker-controlled domains.
  • Cache poisoning in shared cache environments, causing malicious redirects to be served to other users.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Node.js application using client-certificate-auth middleware redirects HTTP requests to HTTPS using an unvalidated Host header. Specifically, look for HTTP responses with 302 redirects where the Location header contains an unexpected or attacker-controlled domain.'}, {'type': 'paragraph', 'content': 'One way to test this is to send an HTTP request with a manipulated Host header and observe if the redirect points to the injected domain.'}, {'type': 'paragraph', 'content': 'Example command using curl to test for the vulnerability:'}, {'type': 'list_item', 'content': 'curl -I -H "Host: attacker.com" http://vulnerable-app.example.com/login'}, {'type': 'paragraph', 'content': 'If the Location header in the response redirects to https://attacker.com/login, the vulnerability is present.'}] [2]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25651. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart