{"uuid": "525cd529-e4f1-4180-ac8f-33f757cdb780", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-gfj5-979r-92pw", "type": "seen", "source": "https://gist.github.com/alon710/fd355e480f025edd956fae7107a02df9", "content": "# GHSA-GFJ5-979R-92PW: GHSA-GFJ5-979R-92PW: Unauthenticated Authentication Bypass in @acastellon/auth via Header Spoofing\n\n> **CVSS Score:** 9.3\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/GHSA-GFJ5-979R-92PW\n\n## Summary\nAn unauthenticated authentication bypass vulnerability exists in @acastellon/auth, an authorization middleware package for Express-based microservices. The vulnerability allows a remote, unauthenticated attacker to completely bypass token validation checks in the validateToken() middleware via spoofed HTTP headers.\n\n## TL;DR\nUnauthenticated remote attackers can bypass JWT/OIDC validation in @acastellon/auth < 2.3.0 by spoofing the 'auth-user' and 'Host' headers.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-290\n- **Attack Vector**: Network\n- **CVSS Score**: 9.3 (CVSS v4.0)\n- **EPSS Score**: N/A\n- **Impact**: Complete Authentication Bypass\n- **Exploit Status**: PoC Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- @acastellon/auth\n- **@acastellon/auth**: < 2.3.0 (Fixed in: `2.3.0`)\n\n## Mitigation\n\n- Upgrade `@acastellon/auth` to version 2.3.0 or higher.\n- Enforce Mutual TLS (mTLS) for peer-to-peer authentication.\n- Implement perimeter-level header filtering to strip 'auth-user' and 'is-*' headers.\n\n**Remediation Steps:**\n1. Verify your project dependency version of `@acastellon/auth` in package.json.\n2. Upgrade `@acastellon/auth` to at least version `2.3.0` via your package manager.\n3. Configure the middleware to use mTLS by specifying the `TRUSTED_MTLS_SERVICES` parameter.\n4. Configure upstream API gateways to strip incoming client headers containing `auth-user` or `is-*` keys.\n\n## References\n\n- [GitHub Security Advisory Record](https://github.com/advisories/GHSA-gfj5-979r-92pw)\n- [Official Security Fix Code Comparison](https://github.com/antonio-castellon/module-auth/compare/v2.2.0...v2.3.0)\n- [Disclosing GitHub Issue #6](https://github.com/antonio-castellon/module-auth/issues/6)\n- [OSV Entry](https://osv.dev/vulnerability/GHSA-gfj5-979r-92pw)\n- [npm Package Registry Page](https://www.npmjs.com/package/@acastellon/auth/v/2.3.0)\n- [Project Repository](https://github.com/antonio-castellon/module-auth)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-GFJ5-979R-92PW) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T20:22:11.000000Z"}