CVE-2026-25651: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') in tgies client-certificate-auth
CVE-2026-25651 is an open redirect vulnerability in the tgies client-certificate-auth middleware for Node. js versions 0. 2. 1 through 0. 3. 0. The middleware improperly uses the unvalidated Host header when redirecting HTTP requests to HTTPS, allowing attackers to redirect users to arbitrary, potentially malicious domains. This flaw can be exploited without authentication but requires user interaction to follow the redirect. The vulnerability impacts confidentiality and integrity by enabling phishing and session hijacking attacks. It is fixed in version 1.
AI Analysis
Technical Summary
The vulnerability identified as CVE-2026-25651 affects the tgies client-certificate-auth middleware for Node.js, specifically versions from 0.2.1 up to but not including 1.0.0. This middleware is designed to implement client SSL certificate authentication and authorization. The core issue is an open redirect vulnerability (CWE-601) caused by the middleware's unconditional redirection of HTTP requests to HTTPS using the Host header without validation. Since the Host header can be manipulated by an attacker, this allows redirection to arbitrary external domains. Such open redirects can be exploited in phishing campaigns to lure users to malicious sites that appear trustworthy due to the initial domain context. The vulnerability does not require authentication but does require user interaction to follow the redirect. The CVSS 3.1 base score is 6.1, reflecting medium severity, with attack vector network, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. No known exploits are currently reported in the wild. The issue is resolved in version 1.0.0 of the middleware. Organizations using affected versions should prioritize upgrading and implement validation of Host headers to prevent exploitation.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily through social engineering and phishing attacks that exploit the open redirect to redirect users to malicious sites. This can lead to credential theft, session hijacking, or malware delivery, impacting confidentiality and integrity of sensitive data. Organizations relying on client-certificate-auth middleware for secure authentication may see their trust model undermined if users are redirected to attacker-controlled domains. The vulnerability does not directly affect system availability but can facilitate broader attacks. Sectors such as finance, healthcare, and government, which often use client certificate authentication for secure access, are particularly at risk. The medium severity suggests a need for timely remediation to prevent exploitation, especially given the widespread use of Node.js in European web applications and services.
Mitigation Recommendations
1. Upgrade the tgies client-certificate-auth middleware to version 1.0.0 or later where the vulnerability is fixed. 2. Implement strict validation of the Host header in HTTP requests to ensure redirects only occur to trusted domains. 3. Use allowlists for acceptable redirect targets and reject or sanitize any unrecognized Host header values. 4. Employ Content Security Policy (CSP) headers to restrict navigation and framing to trusted domains. 5. Educate users about the risks of following unexpected redirects and encourage verification of URLs before interaction. 6. Monitor web server logs for suspicious redirect patterns or unusual Host header values. 7. Consider additional layers of authentication and anomaly detection around client certificate authentication flows to detect potential misuse.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2026-25651: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') in tgies client-certificate-auth
Description
CVE-2026-25651 is an open redirect vulnerability in the tgies client-certificate-auth middleware for Node. js versions 0. 2. 1 through 0. 3. 0. The middleware improperly uses the unvalidated Host header when redirecting HTTP requests to HTTPS, allowing attackers to redirect users to arbitrary, potentially malicious domains. This flaw can be exploited without authentication but requires user interaction to follow the redirect. The vulnerability impacts confidentiality and integrity by enabling phishing and session hijacking attacks. It is fixed in version 1.
AI-Powered Analysis
Technical Analysis
The vulnerability identified as CVE-2026-25651 affects the tgies client-certificate-auth middleware for Node.js, specifically versions from 0.2.1 up to but not including 1.0.0. This middleware is designed to implement client SSL certificate authentication and authorization. The core issue is an open redirect vulnerability (CWE-601) caused by the middleware's unconditional redirection of HTTP requests to HTTPS using the Host header without validation. Since the Host header can be manipulated by an attacker, this allows redirection to arbitrary external domains. Such open redirects can be exploited in phishing campaigns to lure users to malicious sites that appear trustworthy due to the initial domain context. The vulnerability does not require authentication but does require user interaction to follow the redirect. The CVSS 3.1 base score is 6.1, reflecting medium severity, with attack vector network, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. No known exploits are currently reported in the wild. The issue is resolved in version 1.0.0 of the middleware. Organizations using affected versions should prioritize upgrading and implement validation of Host headers to prevent exploitation.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily through social engineering and phishing attacks that exploit the open redirect to redirect users to malicious sites. This can lead to credential theft, session hijacking, or malware delivery, impacting confidentiality and integrity of sensitive data. Organizations relying on client-certificate-auth middleware for secure authentication may see their trust model undermined if users are redirected to attacker-controlled domains. The vulnerability does not directly affect system availability but can facilitate broader attacks. Sectors such as finance, healthcare, and government, which often use client certificate authentication for secure access, are particularly at risk. The medium severity suggests a need for timely remediation to prevent exploitation, especially given the widespread use of Node.js in European web applications and services.
Mitigation Recommendations
1. Upgrade the tgies client-certificate-auth middleware to version 1.0.0 or later where the vulnerability is fixed. 2. Implement strict validation of the Host header in HTTP requests to ensure redirects only occur to trusted domains. 3. Use allowlists for acceptable redirect targets and reject or sanitize any unrecognized Host header values. 4. Employ Content Security Policy (CSP) headers to restrict navigation and framing to trusted domains. 5. Educate users about the risks of following unexpected redirects and encourage verification of URLs before interaction. 6. Monitor web server logs for suspicious redirect patterns or unusual Host header values. 7. Consider additional layers of authentication and anomaly detection around client certificate authentication flows to detect potential misuse.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-04T05:15:41.792Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69863dc0f9fa50a62f29294b
Added to database: 2/6/2026, 7:15:12 PM
Last enriched: 2/6/2026, 7:30:37 PM
Last updated: 2/6/2026, 8:17:10 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2065: Missing Authentication in Flycatcher Toys smART Pixelator
MediumCVE-2026-25640: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in pydantic pydantic-ai
HighCVE-2026-25641: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition in nyariv SandboxJS
CriticalCVE-2026-25587: CWE-94: Improper Control of Generation of Code ('Code Injection') in nyariv SandboxJS
CriticalCVE-2026-25586: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in nyariv SandboxJS
CriticalActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.