@acastellon/auth: Authentication bypass via spoofable headers in validateToken() — GHSA-GFJ5-979R-92PW
GitHub · GitHub · GHSA-GFJ5-979R-92PW
ID
GHSA-GFJ5-979R-92PW
GHSA-GFJ5-979R-92PW
Date
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
critical
critical
CVSS
9.3
9.3
Summary
@acastellon/auth v2.2.0 appears to allow an unauthenticated authentication bypass in validateToken() through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get('host').startsWith(getHostName()). Both values involved in the check can be influenced by an unauthenticated HTTP client: auth-user is a request header,…
Product
npm: @acastellon/auth
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.