Login Sign Up

CVE-2026-25651

6.1 MEDIUM
Authentication Bypass Open Redirect

📋 TL;DR

The client-certificate-auth middleware for Node.js contains an open redirect vulnerability in versions 0.2.1 and 0.3.0. It unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing attackers to redirect users to malicious domains. This affects any Node.js application using these vulnerable versions of the middleware.

💻 Affected Systems

Products:
  • client-certificate-auth
Versions: 0.2.1, 0.3.0
Operating Systems: Any OS running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using the vulnerable middleware versions with HTTP-to-HTTPS redirection enabled.

📦 What is this software?

Client Certificate Auth by Tgies

View all CVEs affecting Client Certificate Auth →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could redirect users to phishing sites that steal credentials or deliver malware, potentially leading to account compromise, data theft, or system infection.

🟠

Likely Case

Users are redirected to malicious sites for phishing, credential harvesting, or malware distribution campaigns.

🟢

If Mitigated

With proper validation and patching, redirects only occur to legitimate HTTPS endpoints of the intended application.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending HTTP requests with malicious Host headers to trigger redirects.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.0

Vendor Advisory: https://github.com/tgies/client-certificate-auth/security/advisories/GHSA-m4w9-gch5-c2g4

Restart Required: Yes

Instructions:

1. Update package.json to require client-certificate-auth version 1.0.0 or higher. 2. Run npm update client-certificate-auth. 3. Restart the Node.js application.

🔧 Temporary Workarounds

Disable HTTP-to-HTTPS redirection

all

Temporarily disable the middleware's automatic HTTP-to-HTTPS redirection feature.

Configure middleware with {redirect: false} option

Implement Host header validation

all

Add custom middleware to validate Host headers before the vulnerable middleware runs.

app.use((req, res, next) => { if (!isValidHost(req.headers.host)) return res.status(400).send(); next(); })

🧯 If You Can't Patch

  • Implement reverse proxy with strict Host header validation
  • Use WAF rules to block malicious redirect patterns

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules for client-certificate-auth version 0.2.1 or 0.3.0.

Check Version:

npm list client-certificate-auth

Verify Fix Applied:

Confirm client-certificate-auth version is 1.0.0 or higher in package.json and node_modules.

📡 Detection & Monitoring

Log Indicators:

  • HTTP 301/302 redirects to unexpected domains
  • Requests with unusual Host headers

Network Indicators:

  • HTTP traffic showing redirects to non-application domains

SIEM Query:

http.status_code IN (301, 302) AND NOT url.destination IN (allowed_domains)

📊 Metadata

CVE ID: CVE-2026-25651
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-601
EPSS Score: 0.03% exploit probability (8.2th percentile)
Published: February 6, 2026
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25651, you might also want to check these:

CVE-2025-43526 9.8

A URL validation vulnerability in macOS and Safari allows web content opened via file URLs to bypass...

Same vulnerability type (CWE-601)
CVE-2025-55031 9.8

This vulnerability in Firefox and Focus for iOS allows malicious web pages to trigger hybrid passkey...

Same vulnerability type (CWE-601)
CVE-2024-22891 9.8

CVE-2024-22891 is a critical remote code execution vulnerability in Nteract v0.28.0 that allows atta...

Same vulnerability type (CWE-601)