Module Auth
Monthly
Authentication bypass in @acastellon/auth (npm package, aka antonio-castellon/module-auth) before 2.3.0 lets a remote unauthenticated attacker impersonate a trusted internal service by sending spoofed 'auth-user' and 'Host' request headers. The validateToken() middleware short-circuits its own token check when auth-user equals 'service-brother' and the Host header starts with the configured hostname - both fully client-controllable - so an attacker skips legacy/JWT/OIDC validation entirely. No public exploit identified at time of analysis, but the flaw is trivially reproducible from the advisory and carries CVSS 4.0 8.7 (high).
Authentication bypass in @acastellon/auth (npm package, aka antonio-castellon/module-auth) before 2.3.0 lets a remote unauthenticated attacker impersonate a trusted internal service by sending spoofed 'auth-user' and 'Host' request headers. The validateToken() middleware short-circuits its own token check when auth-user equals 'service-brother' and the Host header starts with the configured hostname - both fully client-controllable - so an attacker skips legacy/JWT/OIDC validation entirely. No public exploit identified at time of analysis, but the flaw is trivially reproducible from the advisory and carries CVSS 4.0 8.7 (high).