client-certificate-auth Open Redirect Vulnerability in HTTP-to-HTTPS Redirection

A open redirect vulnerability has been identified in the client-certificate-auth middleware for Node.js, specifically in versions 0.2.1 and 0.3.0. The vulnerability arises because the middleware redirects HTTP requests to HTTPS using an unvalidated Host header. This flaw allows attackers to redirect users to arbitrary domains. The issue has been resolved in version 1.0.0.

Impact

Exploitation of this vulnerability allows for open redirection to untrusted sites, which can be used for phishing attacks, stealing OAuth or SSO tokens, leaking sensitive URL parameters through the Referer header, and poisoning shared caches with malicious redirects.

Reproduction

To reproduce this vulnerability, send an HTTP request to a server running client-certificate-auth version 0.2.1 or 0.3.0. Ensure that the 'x-forwarded-proto' header is not set to 'https'. The server will redirect the request to 'https://' followed by the unvalidated Host header, which can be manipulated to point to an arbitrary domain.

Remediation

Upgrade to client-certificate-auth version 1.0.0, which removes the vulnerable redirect behavior. If an immediate upgrade is not possible, block HTTP traffic at the network or load balancer level, ensure that the reverse proxy sets 'x-forwarded-proto: https', or add middleware to validate the Host header against an allowlist.