GHSA-m4w9-gch5-c2g4

Описание

Summary

Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains.

Vulnerable Code

Attack Scenario

1. Attacker crafts a link: http://vulnerable-app.example.com/login
2. When victim clicks, attacker intercepts and injects header: Host: attacker.com
3. Server responds: 302 Found → https://attacker.com/login
4. Victim is redirected to attacker-controlled site

Impact

• Phishing: Attackers can use trusted domain links to redirect victims to credential-harvesting pages
• OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may leak via redirect
• Referer Leakage: Sensitive URL parameters may be exposed to attacker domains via the Referer header
• Cache Poisoning: In deployments with shared caches, malicious redirects may be cached and served to other users

Exploitability

Exploitation requires that HTTP traffic reaches the Node.js application without TLS termination setting x-forwarded-proto: https. This condition is uncommon in production deployments behind modern reverse proxies or load balancers, which limits real-world exploitability.

Fix

The vulnerable redirect behavior has been completely removed in version 1.0.0.

Workarounds

If upgrading is not immediately possible:

1. Block HTTP traffic at the network/load balancer level
2. Ensure your reverse proxy always sets x-forwarded-proto: https
3. Add middleware before clientCertificateAuth to validate the Host header against an allowlist

References

• CWE-601: URL Redirection to Untrusted Site
• OWASP: Unvalidated Redirects and Forwards
• Fix Commit