CVE-2026-25651 in client-certificate-auth
Summary
by MITRE • 02/06/2026
client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains. This vulnerability is fixed in 1.0.0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/06/2026
The client-certificate-auth middleware for Node.js presents a critical open redirect vulnerability that compromises user security and application integrity. This vulnerability specifically affects versions 0.2.1 and 0.3.0 of the middleware, where the implementation fails to validate the Host header when performing HTTP to HTTPS redirection. The flaw stems from an insecure direct object reference pattern that allows malicious actors to manipulate the redirection behavior by controlling the Host header value. This vulnerability aligns with CWE-601, which addresses open redirect vulnerabilities where applications redirect users to unvalidated external URLs. The issue creates a significant risk for applications that rely on SSL certificate authentication, as it undermines the security controls designed to protect against unauthorized access and man-in-the-middle attacks.
The technical implementation flaw occurs when the middleware processes incoming HTTP requests and automatically redirects them to HTTPS without validating the Host header value. Attackers can exploit this by crafting malicious requests with manipulated Host headers that contain arbitrary domain names, causing the application to redirect users to phishing sites or malicious domains. This vulnerability represents a classic example of insecure redirection that can be leveraged for credential theft, social engineering attacks, and session hijacking. The unvalidated Host header manipulation allows attackers to bypass the intended security boundaries established by the SSL certificate authentication mechanism, creating a pathway for malicious redirection that can be used in conjunction with other attack vectors.
The operational impact of this vulnerability extends beyond simple redirection attacks and can severely compromise user trust and application security. When users are redirected to malicious domains through this vulnerability, they may unknowingly provide sensitive information to attackers, believing they are on legitimate secure sites. This vulnerability particularly affects applications that depend on client certificate authentication for access control, as it undermines the entire authentication chain by allowing attackers to redirect users away from the secure authentication process. The vulnerability also creates potential for abuse in phishing campaigns where attackers can use the legitimate application domain to redirect users to malicious sites, making the attack appear more trustworthy. Organizations using affected versions of the middleware face increased risk of data breaches and compromised user credentials.
Security mitigations for this vulnerability require immediate upgrade to version 1.0.0 or later, which implements proper Host header validation and secure redirection mechanisms. Organizations should conduct comprehensive vulnerability assessments to identify all applications using affected middleware versions and ensure proper patching procedures are followed. The fix addresses the vulnerability by implementing strict validation of the Host header before performing any redirection operations, preventing attackers from manipulating the redirect destination. This remediation aligns with ATT&CK technique T1566.001 which covers phishing through social engineering, as the vulnerability enables attackers to create convincing phishing scenarios. Additionally, organizations should implement network monitoring to detect suspicious redirection patterns and consider implementing additional security controls such as Content Security Policy headers to prevent unauthorized redirects from occurring. The vulnerability also highlights the importance of proper input validation and secure coding practices in middleware components, particularly those handling authentication and authorization flows.