CVE-2026-25651 identifies an open redirect vulnerability (CWE-601) in the tgies client-certificate-auth middleware for Node.js, specifically in versions >= 0.2.1 and < 1.0.0. This middleware is designed to enforce client SSL certificate authentication and authorization by redirecting HTTP requests to HTTPS. However, it unconditionally uses the Host header from incoming HTTP requests to construct the redirect URL without validating or sanitizing it. Since the Host header can be manipulated by an attacker, this flaw allows redirection to arbitrary external domains. Such open redirects can be exploited in phishing campaigns, where users are redirected to malicious sites that appear legitimate, potentially leading to credential theft or malware delivery. The vulnerability does not require authentication but does require user interaction (clicking a link). The CVSS 3.1 base score is 6.1, reflecting medium severity due to the potential for confidentiality and integrity impacts but no direct availability impact. The vulnerability is fixed in version 1.0.0 of the middleware. No public exploits have been reported yet, but the flaw presents a risk especially in environments where client-certificate-auth is used to secure sensitive applications.

For European organizations, this vulnerability poses a risk primarily in the form of phishing and social engineering attacks that leverage the open redirect to bypass user trust. Attackers can craft URLs that appear to originate from legitimate internal services but redirect users to malicious external sites, potentially leading to credential compromise or malware infection. Organizations relying on client-certificate-auth middleware in Node.js for secure access control may see erosion of trust in their authentication mechanisms. While the vulnerability does not directly compromise system availability or allow unauthorized access, it can facilitate attacks that lead to broader security breaches. The impact is heightened in sectors with stringent security requirements such as finance, healthcare, and government, where client certificate authentication is more prevalent. Additionally, the scope includes all affected versions, so organizations running outdated middleware are at risk until they upgrade or implement mitigations.

European organizations should immediately upgrade the tgies client-certificate-auth middleware to version 1.0.0 or later, where the open redirect vulnerability is fixed. Until upgrading is possible, implement strict validation of the Host header to ensure it matches a whitelist of trusted domains before performing redirects. Employ web application firewalls (WAFs) with rules to detect and block suspicious redirect patterns. Educate users about the risks of clicking unexpected links and implement multi-factor authentication to reduce the impact of credential theft. Monitor logs for unusual redirect requests and anomalous traffic patterns. Additionally, consider deploying HTTP Strict Transport Security (HSTS) headers to enforce HTTPS usage without relying solely on redirects. Regularly review and update dependency versions in Node.js applications to prevent similar vulnerabilities.