Skip to content

SECURITY: Authentication bypass in @acastellon/auth v2.2.0 via spoofable headers in validateToken() (mTLS fix in 2.3.0+) #6

Description

@antonio-castellon

Credit: hackchang for discovering and reporting this vulnerability.


OFFICIAL GITHUB SECURITY ADVISORY DRAFT CONTENT

Copy and paste the sections below into the GitHub "New draft security advisory" form.

Summary (Title):
Authentication bypass in @acastellon/auth v2.2.0 via spoofable headers in validateToken() (fixed in v2.3.0)

Description:

@acastellon/auth v2.2.0 appears to allow an unauthenticated authentication bypass in validateToken() through spoofable auth-user and Host request headers.

The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get('host').startsWith(getHostName()). Both values involved in the check can be influenced by an unauthenticated HTTP client: auth-user is a request header, and Host is also client-controlled. As a result, a remote unauthenticated attacker can send a request with crafted headers and bypass token validation before the normal legacy/JWT/OIDC validation logic runs.

Impact:
An attacker may be able to access routes protected by validateToken() without a valid token. In deployments where downstream services trust auth-user or is-* headers, this may also lead to privilege escalation.

Affected package:
@acastellon/auth v2.2.0

Affected code:
auth.js, validateToken()
The issue is related to the service-brother bypass and getHostName() check.

Example request:

GET /protected HTTP/1.1
Host: <configured CNAME or hostname>
auth-user: service-brother
is-admin: true

Expected behavior:
The request should require a valid authentication token.

Actual behavior:
The middleware calls next() before token validation.

Fix implemented in v2.3.0+:

  • Removed the spoofable bypass.
  • Always sanitize incoming auth-user and is-* headers.
  • Added mTLS client certificate based service auth (with optional TRUSTED_MTLS_SERVICES allowlist).
  • Updated consumers (rest, graphql, dns-client) for mTLS support.
  • Unit tests added for sanitization + mTLS path.

References:

Credits:

  • hackchang (person who found the bug)

Instructions to create the advisory:

  1. Go to https://github.com/antonio-castellon/module-auth/security/advisories
  2. Click "New draft security advisory"
  3. Paste the Summary into the title field.
  4. Paste the Description into the description field.
  5. Set Ecosystem: npm
  6. Package: @acastellon/auth
  7. Affected versions: < 2.3.0
  8. Patched versions: >= 2.3.0
  9. Severity: High
  10. In the Credits section, add "hackchang"
  11. Add references and publish as draft.

This issue is closed as the fix is released in v2.3.0.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions