Credit: hackchang for discovering and reporting this vulnerability.
OFFICIAL GITHUB SECURITY ADVISORY DRAFT CONTENT
Copy and paste the sections below into the GitHub "New draft security advisory" form.
Summary (Title):
Authentication bypass in @acastellon/auth v2.2.0 via spoofable headers in validateToken() (fixed in v2.3.0)
Description:
@acastellon/auth v2.2.0 appears to allow an unauthenticated authentication bypass in validateToken() through spoofable auth-user and Host request headers.
The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get('host').startsWith(getHostName()). Both values involved in the check can be influenced by an unauthenticated HTTP client: auth-user is a request header, and Host is also client-controlled. As a result, a remote unauthenticated attacker can send a request with crafted headers and bypass token validation before the normal legacy/JWT/OIDC validation logic runs.
Impact:
An attacker may be able to access routes protected by validateToken() without a valid token. In deployments where downstream services trust auth-user or is-* headers, this may also lead to privilege escalation.
Affected package:
@acastellon/auth v2.2.0
Affected code:
auth.js, validateToken()
The issue is related to the service-brother bypass and getHostName() check.
Example request:
GET /protected HTTP/1.1
Host: <configured CNAME or hostname>
auth-user: service-brother
is-admin: true
Expected behavior:
The request should require a valid authentication token.
Actual behavior:
The middleware calls next() before token validation.
Fix implemented in v2.3.0+:
- Removed the spoofable bypass.
- Always sanitize incoming auth-user and is-* headers.
- Added mTLS client certificate based service auth (with optional TRUSTED_MTLS_SERVICES allowlist).
- Updated consumers (rest, graphql, dns-client) for mTLS support.
- Unit tests added for sanitization + mTLS path.
References:
Credits:
- hackchang (person who found the bug)
Instructions to create the advisory:
- Go to https://github.com/antonio-castellon/module-auth/security/advisories
- Click "New draft security advisory"
- Paste the Summary into the title field.
- Paste the Description into the description field.
- Set Ecosystem: npm
- Package: @acastellon/auth
- Affected versions: < 2.3.0
- Patched versions: >= 2.3.0
- Severity: High
- In the Credits section, add "hackchang"
- Add references and publish as draft.
This issue is closed as the fix is released in v2.3.0.
Credit: hackchang for discovering and reporting this vulnerability.
OFFICIAL GITHUB SECURITY ADVISORY DRAFT CONTENT
Copy and paste the sections below into the GitHub "New draft security advisory" form.
Summary (Title):
Authentication bypass in @acastellon/auth v2.2.0 via spoofable headers in validateToken() (fixed in v2.3.0)
Description:
@acastellon/auth v2.2.0 appears to allow an unauthenticated authentication bypass in validateToken() through spoofable auth-user and Host request headers.
The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get('host').startsWith(getHostName()). Both values involved in the check can be influenced by an unauthenticated HTTP client: auth-user is a request header, and Host is also client-controlled. As a result, a remote unauthenticated attacker can send a request with crafted headers and bypass token validation before the normal legacy/JWT/OIDC validation logic runs.
Impact:
An attacker may be able to access routes protected by validateToken() without a valid token. In deployments where downstream services trust auth-user or is-* headers, this may also lead to privilege escalation.
Affected package:
@acastellon/auth v2.2.0
Affected code:
auth.js, validateToken()
The issue is related to the service-brother bypass and getHostName() check.
Example request:
Expected behavior:
The request should require a valid authentication token.
Actual behavior:
The middleware calls next() before token validation.
Fix implemented in v2.3.0+:
References:
Credits:
Instructions to create the advisory:
This issue is closed as the fix is released in v2.3.0.