GHSA-m4w9-gch5-c2g4

Summary

Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains.

Vulnerable Code

// lib/clientCertificateAuth.js (versions 0.2.1, 0.3.0)
if (!req.secure && req.header('x-forwarded-proto') != 'https') {
  return res.redirect('https://' + req.header('host') + req.url);
}

Attack Scenario

1. Attacker crafts a link: http://vulnerable-app.example.com/login
2. When victim clicks, attacker intercepts and injects header: Host: attacker.com
3. Server responds: 302 Found → https://attacker.com/login
4. Victim is redirected to attacker-controlled site

Impact

• Phishing: Attackers can use trusted domain links to redirect victims to credential-harvesting pages
• OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may leak via redirect
• Referer Leakage: Sensitive URL parameters may be exposed to attacker domains via the Referer header
• Cache Poisoning: In deployments with shared caches, malicious redirects may be cached and served to other users

Exploitability

Exploitation requires that HTTP traffic reaches the Node.js application without TLS termination setting x-forwarded-proto: https. This condition is uncommon in production deployments behind modern reverse proxies or load balancers, which limits real-world exploitability.

Fix

The vulnerable redirect behavior has been completely removed in version 1.0.0.

npm install client-certificate-auth@^1.0.0

Workarounds

If upgrading is not immediately possible:

1. Block HTTP traffic at the network/load balancer level
2. Ensure your reverse proxy always sets x-forwarded-proto: https
3. Add middleware before clientCertificateAuth to validate the Host header against an allowlist

References

• CWE-601: URL Redirection to Untrusted Site
• OWASP: Unvalidated Redirects and Forwards
• Fix Commit