CVE-2026-25651

Name of the Vulnerable Software and Affected Versions client-certificate-auth versions 0.2.1 through 0.3.0

Description The software is middleware for Node.js that implements client SSL certificate authentication and authorization. Versions 0.2.1 and 0.3.0 contain an open redirect issue. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, potentially allowing an attacker to redirect users to arbitrary domains. The vulnerable code is located in lib/clientCertificateAuth.js. The issue can lead to phishing attacks, OAuth/SSO token theft, referer leakage, and cache poisoning. Exploitation requires HTTP traffic to reach the application without TLS termination or with an improperly configured x-forwarded-proto header. The vulnerable redirect behavior has been removed in version 1.0.0.

Recommendations Upgrade to client-certificate-auth version 1.0.0 or later. If upgrading is not immediately possible, block HTTP traffic at the network or load balancer level. Ensure your reverse proxy always sets x-forwarded-proto: https. Add middleware before clientCertificateAuth to validate the Host header against an allowlist.