Summary

Vulnerable Code

// lib/clientCertificateAuth.js (versions 0.2.1, 0.3.0)
if (!req.secure && req.header('x-forwarded-proto') != 'https') {
 return res.redirect('https://' + req.header('host') + req.url);
}

Attack Scenario

1. Attacker crafts a link: http://vulnerable-app.example.com/login
2. When victim clicks, attacker intercepts and injects header: Host: attacker.com
3. Server responds: 302 Found → https://attacker.com/login
4. Victim is redirected to attacker-controlled site

Impact

• Phishing: Attackers can use trusted domain links to redirect victims to credential-harvesting pages
• OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may leak via redirect
• Referer Leakage: Sensitive URL parameters may be exposed to attacker domains via the Referer header
• Cache Poisoning: In deployments with shared caches, malicious redirects may be cached and served to other users

Exploitability

Fix

npm install client-certificate-auth@^1.0.0

Workarounds

1. Block HTTP traffic at the network/load balancer level
2. Ensure your reverse proxy always sets x-forwarded-proto: https
3. Add middleware before clientCertificateAuth to validate the Host header against an allowlist

References

• CWE-601: URL Redirection to Untrusted Site
• [OWASP: Unvalidated Redirects and Forwards](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated Redirects and Forwards Cheat Sheet.html)
• Fix Commit