Impact
This vulnerability allows an unauthenticated attacker to bypass token validation by sending specially crafted HTTP headers. The validateToken middleware accepts two client-controlled headers—auth-user and Host—used in a service‑to‑service check that is performed before the standard JWT/OIDC validation. By choosing an auth-user value of "service-brother" and a Host value that starts with the protected hostname, the attacker can trick the system into skipping authentication checks, thereby gaining unauthorized access to protected microservices. The weakness is categorized as CWE‑287.
Affected Systems
The affected product is the @acastellon/auth authentication module, version 2.2.x and earlier. Upgrading to version 2.3.0 or later resolves the issue.
Risk and Exploitability
The CVSS score of 8.7 indicates a high severity of the vulnerability. The EPSS score is not available, so the likelihood of exploitation cannot be quantified from the provided data, but the absence of KEV listing suggests it has not yet been widely exploited. The attack vector is remote and does not require any special privileges; an attacker can trigger the bypass by sending an HTTP request with the spoofed headers from any network location that can reach the service.
OpenCVE Enrichment
Github GHSA