Vulnerability-Lookup

CVE-2026-25651 (GCVE-0-2026-25651)

Vulnerability from cvelistv5 – Published: 2026-02-06 18:50 – Updated: 2026-02-09 15:28

Title

client-certificate-auth has an Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect

Summary

client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains. This vulnerability is fixed in 1.0.0.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/tgies/client-certificate-auth/…	x_refsource_CONFIRM
	https://github.com/tgies/client-certificate-auth/…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	tgies	client-certificate-auth	Affected: >= 0.2.1, < 1.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25651",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-09T15:19:32.286725Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-09T15:28:48.992Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "client-certificate-auth",
          "vendor": "tgies",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.2.1, \u003c 1.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains. This vulnerability is fixed in 1.0.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T18:50:26.046Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/tgies/client-certificate-auth/security/advisories/GHSA-m4w9-gch5-c2g4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/tgies/client-certificate-auth/security/advisories/GHSA-m4w9-gch5-c2g4"
        },
        {
          "name": "https://github.com/tgies/client-certificate-auth/releases/tag/v1.0.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tgies/client-certificate-auth/releases/tag/v1.0.0"
        }
      ],
      "source": {
        "advisory": "GHSA-m4w9-gch5-c2g4",
        "discovery": "UNKNOWN"
      },
      "title": "client-certificate-auth has an Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25651",
    "datePublished": "2026-02-06T18:50:26.046Z",
    "dateReserved": "2026-02-04T05:15:41.792Z",
    "dateUpdated": "2026-02-09T15:28:48.992Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25651\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-06T19:16:09.897\",\"lastModified\":\"2026-02-06T21:57:22.450\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains. This vulnerability is fixed in 1.0.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"references\":[{\"url\":\"https://github.com/tgies/client-certificate-auth/releases/tag/v1.0.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/tgies/client-certificate-auth/security/advisories/GHSA-m4w9-gch5-c2g4\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25651\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-09T15:19:32.286725Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-09T15:19:32.970Z\"}}], \"cna\": {\"title\": \"client-certificate-auth has an Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect\", \"source\": {\"advisory\": \"GHSA-m4w9-gch5-c2g4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"tgies\", \"product\": \"client-certificate-auth\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.2.1, \u003c 1.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/tgies/client-certificate-auth/security/advisories/GHSA-m4w9-gch5-c2g4\", \"name\": \"https://github.com/tgies/client-certificate-auth/security/advisories/GHSA-m4w9-gch5-c2g4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/tgies/client-certificate-auth/releases/tag/v1.0.0\", \"name\": \"https://github.com/tgies/client-certificate-auth/releases/tag/v1.0.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains. This vulnerability is fixed in 1.0.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-601\", \"description\": \"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-06T18:50:26.046Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25651\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-09T15:28:48.992Z\", \"dateReserved\": \"2026-02-04T05:15:41.792Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-06T18:50:26.046Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-25651

Vulnerability from fkie_nvd - Published: 2026-02-06 19:16 - Updated: 2026-02-06 21:57

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/tgies/client-certificate-auth/releases/tag/v1.0.0
	security-advisories@github.com	https://github.com/tgies/client-certificate-auth/security/advisories/GHSA-m4w9-gch5-c2g4

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains. This vulnerability is fixed in 1.0.0."
    }
  ],
  "id": "CVE-2026-25651",
  "lastModified": "2026-02-06T21:57:22.450",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-06T19:16:09.897",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/tgies/client-certificate-auth/releases/tag/v1.0.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/tgies/client-certificate-auth/security/advisories/GHSA-m4w9-gch5-c2g4"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-M4W9-GCH5-C2G4

Vulnerability from github – Published: 2026-02-06 18:54 – Updated: 2026-02-06 21:43

Summary

client-certificate-auth Vulnerable to Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect

Details

Summary

Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains.

Vulnerable Code

// lib/clientCertificateAuth.js (versions 0.2.1, 0.3.0)
if (!req.secure && req.header('x-forwarded-proto') != 'https') {
  return res.redirect('https://' + req.header('host') + req.url);
}

Attack Scenario

Attacker crafts a link: http://vulnerable-app.example.com/login
When victim clicks, attacker intercepts and injects header: Host: attacker.com
Server responds: 302 Found → https://attacker.com/login
Victim is redirected to attacker-controlled site

Impact

Phishing: Attackers can use trusted domain links to redirect victims to credential-harvesting pages
OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may leak via redirect
Referer Leakage: Sensitive URL parameters may be exposed to attacker domains via the Referer header
Cache Poisoning: In deployments with shared caches, malicious redirects may be cached and served to other users

Exploitability

Exploitation requires that HTTP traffic reaches the Node.js application without TLS termination setting x-forwarded-proto: https. This condition is uncommon in production deployments behind modern reverse proxies or load balancers, which limits real-world exploitability.

Fix

The vulnerable redirect behavior has been completely removed in version 1.0.0.

npm install client-certificate-auth@^1.0.0

Workarounds

If upgrading is not immediately possible:

Block HTTP traffic at the network/load balancer level
Ensure your reverse proxy always sets x-forwarded-proto: https
Add middleware before clientCertificateAuth to validate the Host header against an allowlist

References

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "client-certificate-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.1"
            },
            {
              "fixed": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25651"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-06T18:54:33Z",
    "nvd_published_at": "2026-02-06T19:16:09Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nVersions 0.2.1 and 0.3.0 of `client-certificate-auth` contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated `Host` header, allowing an attacker to redirect users to arbitrary domains.\n\n### Vulnerable Code\n\n```javascript\n// lib/clientCertificateAuth.js (versions 0.2.1, 0.3.0)\nif (!req.secure \u0026\u0026 req.header(\u0027x-forwarded-proto\u0027) != \u0027https\u0027) {\n  return res.redirect(\u0027https://\u0027 + req.header(\u0027host\u0027) + req.url);\n}\n```\n\n### Attack Scenario\n\n1. Attacker crafts a link: `http://vulnerable-app.example.com/login`\n2. When victim clicks, attacker intercepts and injects header: `Host: attacker.com`\n3. Server responds: `302 Found \u2192 https://attacker.com/login`\n4. Victim is redirected to attacker-controlled site\n\n### Impact\n\n- **Phishing**: Attackers can use trusted domain links to redirect victims to credential-harvesting pages\n- **OAuth/SSO Token Theft**: In authentication flows, authorization codes or tokens may leak via redirect\n- **Referer Leakage**: Sensitive URL parameters may be exposed to attacker domains via the Referer header\n- **Cache Poisoning**: In deployments with shared caches, malicious redirects may be cached and served to other users\n\n### Exploitability\n\nExploitation requires that HTTP traffic reaches the Node.js application without TLS termination setting `x-forwarded-proto: https`. This condition is uncommon in production deployments behind modern reverse proxies or load balancers, which limits real-world exploitability.\n\n### Fix\n\nThe vulnerable redirect behavior has been completely removed in version 1.0.0.\n\n```bash\nnpm install client-certificate-auth@^1.0.0\n```\n\n### Workarounds\n\nIf upgrading is not immediately possible:\n\n1. Block HTTP traffic at the network/load balancer level\n2. Ensure your reverse proxy always sets `x-forwarded-proto: https`\n3. Add middleware before `clientCertificateAuth` to validate the `Host` header against an allowlist\n\n### References\n\n- [CWE-601: URL Redirection to Untrusted Site](https://cwe.mitre.org/data/definitions/601.html)\n- [OWASP: Unvalidated Redirects and Forwards](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n- [Fix Commit](https://github.com/tgies/client-certificate-auth/commit/8fc995e953db483495be46862965e50fe9e1cc52)",
  "id": "GHSA-m4w9-gch5-c2g4",
  "modified": "2026-02-06T21:43:18Z",
  "published": "2026-02-06T18:54:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tgies/client-certificate-auth/security/advisories/GHSA-m4w9-gch5-c2g4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25651"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tgies/client-certificate-auth/commit/8fc995e953db483495be46862965e50fe9e1cc52"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tgies/client-certificate-auth"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tgies/client-certificate-auth/releases/tag/v1.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "client-certificate-auth Vulnerable to Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-25651 (GCVE-0-2026-25651)

FKIE_CVE-2026-25651

GHSA-M4W9-GCH5-C2G4

Summary

Vulnerable Code

Attack Scenario

Impact

Exploitability

Fix

Workarounds

References

Tags

Sightings

Nomenclature