Description
client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains. This vulnerability is fixed in 1.0.0.
Published: 2026-02-06
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect
Action: Apply Patch
AI Analysis

Impact

The vulnerability in client-certificate-auth allows an attacker to trigger an insecure redirect by supplying a malicious Host header in an HTTP request. The application blindly redirects to HTTPS using the Host value without validation, permitting users to be sent to arbitrary domains controlled by the attacker. This can facilitate phishing, credential theft, or other social‑engineering attacks. The weakness is identified as CWE‑601, an open redirect flaw.

Affected Systems

The middleware client-certificate-auth from vendor tgies is affected in versions 0.2.1 and 0.3.0. Any deployment of these two releases that employs the automatic HTTP‑to‑HTTPS redirect is vulnerable.

Risk and Exploitability

With a CVSS score of 6.1 the vulnerability is considered medium severity. The EPSS score is below 1 %, indicating a low probability of exploitation, and the issue is not listed in the CISA KEV catalog. The attack vector is remote and requires only a crafted HTTP request to the host performing the redirect. No active exploitation has been publicly reported, but upgrade to v1.0.0 removes the flaw.

Generated by OpenCVE AI on April 17, 2026 at 22:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade client‑certificate‑auth to version 1.0.0 or later.
  • If an upgrade is not immediately possible, configure the middleware or the surrounding application to validate the Host header against an allow list before performing the redirect.
  • Ensure that any redirect logic uses trusted, internal domain names rather than trusting client‑supplied headers to prevent open redirect behavior.

Generated by OpenCVE AI on April 17, 2026 at 22:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m4w9-gch5-c2g4 client-certificate-auth Vulnerable to Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect
History

Tue, 24 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tgies:client-certificate-auth:*:*:*:*:*:node.js:*:*

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Tgies
Tgies client-certificate-auth
Vendors & Products Tgies
Tgies client-certificate-auth

Fri, 06 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains. This vulnerability is fixed in 1.0.0.
Title client-certificate-auth has an Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Tgies Client-certificate-auth
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:28:48.992Z

Reserved: 2026-02-04T05:15:41.792Z

Link: CVE-2026-25651

cve-icon Vulnrichment

Updated: 2026-02-09T15:19:32.970Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T19:16:09.897

Modified: 2026-02-24T21:00:44.357

Link: CVE-2026-25651

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses