PT-2026-53182 · Npm · @Acastellon/Auth

Publicado

2026-06-18

·

Atualizado

2026-06-18

CVSS v4.0

9.3

Crítica

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
@acastellon/auth v2.2.0 appears to allow an unauthenticated authentication bypass in validateToken() through spoofable auth-user and Host request headers.
The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get('host').startsWith(getHostName()). Both values involved in the check can be influenced by an unauthenticated HTTP client: auth-user is a request header, and Host is also client-controlled. As a result, a remote unauthenticated attacker can send a request with crafted headers and bypass token validation before the normal legacy/JWT/OIDC validation logic runs.
Impact: An attacker may be able to access routes protected by validateToken() without a valid token. In deployments where downstream services trust auth-user or is-* headers, this may also lead to privilege escalation.
Affected package: @acastellon/auth v2.2.0
Affected code: auth.js, validateToken() The issue is related to the service-brother bypass and getHostName() check.
Example request:
GET /protected HTTP/1.1
Host: <configured CNAME or hostname>
auth-user: service-brother
is-admin: true
Expected behavior: The request should require a valid authentication token.
Actual behavior: The middleware calls next() before token validation.
Fix implemented in v2.3.0+:
Removed the spoofable bypass. Always sanitize incoming auth-user and is-* headers. Added mTLS client certificate based service auth (with optional TRUSTED MTLS SERVICES allowlist). Updated consumers (rest, graphql, dns-client) for mTLS support. Unit tests added for sanitization + mTLS path.

Correção

Authentication Bypass by Spoofing

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

GHSA-GFJ5-979R-92PW

Produtos afetados

@Acastellon/Auth