CVE-2026-25651 Overview
client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains. This vulnerability is fixed in 1.0.0.
Critical Impact
Attackers can craft malicious URLs that redirect authenticated users to attacker-controlled domains, enabling phishing attacks and credential theft.
Affected Products
- client-certificate-auth version 0.2.1
- client-certificate-auth version 0.3.0
Discovery Timeline
- 2026-02-06 - CVE CVE-2026-25651 published to NVD
- 2026-02-06 - Last updated in NVD database
Technical Details for CVE-2026-25651
Vulnerability Analysis
This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site), commonly known as an Open Redirect vulnerability. The root issue lies in how the client-certificate-auth middleware handles HTTP to HTTPS redirects.
When the middleware receives an HTTP request, it attempts to upgrade the connection to HTTPS by performing a redirect. However, the redirect destination URL is constructed using the Host header from the incoming request without any validation. Since the Host header is client-controlled, an attacker can manipulate it to redirect users to arbitrary external domains.
The vulnerability requires user interaction as the victim must click a malicious link crafted by the attacker. Once clicked, the victim is redirected through the legitimate application to an attacker-controlled site, which can be used for phishing, credential harvesting, or delivering malware.
Root Cause
The middleware's HTTP to HTTPS redirect functionality uses the unvalidated Host header value directly when constructing the redirect URL. This allows attackers to inject arbitrary hostnames that will be used as the redirect destination. Proper validation and whitelisting of allowed hosts was missing from the affected versions.
Attack Vector
The attack is network-based and requires user interaction. An attacker crafts a URL pointing to the vulnerable application with a manipulated Host header. When a victim visits this URL, the middleware redirects them to an HTTPS URL using the attacker-supplied host value. This can be exploited to redirect users to malicious websites that mimic the legitimate application for phishing purposes.
The attacker-controlled destination could host a fake login page designed to capture credentials, or it could deliver malware or other malicious content while appearing to originate from a trusted source.
Detection Methods for CVE-2026-25651
Indicators of Compromise
- Unusual redirect responses (HTTP 301/302) from the application with external domain destinations
- Web server logs showing requests with suspicious or unexpected Host header values
- User reports of being redirected to unfamiliar websites after clicking legitimate-looking links
Detection Strategies
- Monitor web server access logs for redirect responses with external URLs in the Location header
- Implement web application firewall (WAF) rules to detect and block requests with mismatched Host headers
- Review application logs for patterns of HTTP requests immediately followed by redirects to non-application domains
Monitoring Recommendations
- Configure alerting on redirect responses that point to domains outside your organization's control
- Implement real-time log analysis to detect anomalous Host header values
- Deploy browser-based security controls to warn users about redirects to untrusted domains
How to Mitigate CVE-2026-25651
Immediate Actions Required
- Upgrade client-certificate-auth to version 1.0.0 or later immediately
- Audit application configurations to identify all instances using affected versions (0.2.1 or 0.3.0)
- Review server logs for any evidence of exploitation attempts
Patch Information
The vulnerability is fixed in version 1.0.0 of client-certificate-auth. Detailed release information is available in the GitHub Release v1.0.0. Additional security details can be found in the GitHub Security Advisory GHSA-m4w9-gch5-c2g4.
Workarounds
- If immediate upgrade is not possible, implement a reverse proxy or WAF rule to validate Host headers before requests reach the application
- Configure web server to enforce a specific allowed host value, rejecting requests with unexpected Host headers
- Temporarily disable the HTTP to HTTPS redirect functionality if not strictly required
# Example nginx configuration to validate Host header
server {
listen 80;
server_name your-domain.com;
# Reject requests with unexpected Host headers
if ($host !~* ^(your-domain\.com)$) {
return 444;
}
# Redirect to HTTPS with validated host
return 301 https://your-domain.com$request_uri;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
