Technologyglobal✓ verified · 90%

@acastellon/auth: Authentication bypass via spoofable headers in validateToken()

Name: @acastellon/auth: Authentication bypass via spoofable headers in validateToken()
Start: 2026-06-18T17:22:47Z
Location: Global (internet)

When: 2026-06-18 17:22 UTC
Where: Global (internet)
Category: cyber_advisory · npm

@acastellon/auth v2.2.0 appears to allow an unauthenticated authentication bypass in validateToken() through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get('host').startsWith(getHostName()). Both values involved in the check can be influenced by an unauthenticated HTTP client: auth-user is a request header, and Host is also client-controlled. As a result, a remote unauthenticated attacker can send a request with crafted headers and bypass token validation before the normal legacy/JWT/OIDC validation logic runs. Impact: An attacker may be able to access routes protected by validateToken() without a valid token. In deployments where downstream services trust auth-user or is-* headers, this may also lead to privilege escalation. Affected package: @acastellon/auth v2.2.0 Affected code: auth.js, validateToken() The issue is related to the service-brother bypass and getHostName() check. Example request: ``` GET /protected HTTP/1.1 Host: <configured CNAME or hostname> auth-user: service-brother is-admin: true ``` Expected behavior: The request should require a valid authentication token. Actual behavior: The middleware calls next() before token validation. Fix implemented in v2.3.0+: Removed the spoofable bypass. Always sanitize incoming auth-user and is-* headers. Added mTLS client certificate based service auth (with optional TRUSTED_MTLS_SERVICES allowlist). Updated consumers (rest, graphql, dns-client) for mTLS support. Unit tests added for sanitization + mTLS path.

Sources

GitHub Advisory Database ↗ · first seen 2026-06-18 17:22 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map