GHSA-GFJ5-979R-92PW: Unauthenticated Authentication Bypass in @acastellon/auth via Header Spoofing
Vulnerability ID: GHSA-GFJ5-979R-92PW
CVSS Score: 9.3
Published: 2026-06-18
An unauthenticated authentication bypass vulnerability exists in @acastellon/auth, an authorization middleware package for Express-based microservices. The vulnerability allows a remote, unauthenticated attacker to completely bypass token validation checks in the validateToken() middleware via spoofed HTTP headers.
TL;DR
Unauthenticated remote attackers can bypass JWT/OIDC validation in @acastellon/auth < 2.3.0 by spoofing the 'auth-user' and 'Host' headers.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-290
- Attack Vector: Network
- CVSS Score: 9.3 (CVSS v4.0)
- EPSS Score: N/A
- Impact: Complete Authentication Bypass
- Exploit Status: PoC Available
- KEV Status: Not Listed
Affected Systems
- @acastellon/auth
-
@acastellon/auth: < 2.3.0 (Fixed in:
2.3.0)
Exploit Details
- GitHub Issues: Vulnerability disclosure in issue #6 detailing validation bypass
Mitigation Strategies
- Upgrade
@acastellon/authto version 2.3.0 or higher. - Enforce Mutual TLS (mTLS) for peer-to-peer authentication.
- Implement perimeter-level header filtering to strip 'auth-user' and 'is-*' headers.
Remediation Steps:
- Verify your project dependency version of
@acastellon/authin package.json. - Upgrade
@acastellon/authto at least version2.3.0via your package manager. - Configure the middleware to use mTLS by specifying the
TRUSTED_MTLS_SERVICESparameter. - Configure upstream API gateways to strip incoming client headers containing
auth-useroris-*keys.
References
- GitHub Security Advisory Record
- Official Security Fix Code Comparison
- Disclosing GitHub Issue #6
- OSV Entry
- npm Package Registry Page
- Project Repository
Read the full report for GHSA-GFJ5-979R-92PW on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)