Skip to main content

Module Auth

1 CVEs product

Monthly

CVE-2026-58399 npm HIGH PATCH GHSA This Week

Authentication bypass in @acastellon/auth (npm package, aka antonio-castellon/module-auth) before 2.3.0 lets a remote unauthenticated attacker impersonate a trusted internal service by sending spoofed 'auth-user' and 'Host' request headers. The validateToken() middleware short-circuits its own token check when auth-user equals 'service-brother' and the Host header starts with the configured hostname - both fully client-controllable - so an attacker skips legacy/JWT/OIDC validation entirely. No public exploit identified at time of analysis, but the flaw is trivially reproducible from the advisory and carries CVSS 4.0 8.7 (high).

Authentication Bypass Module Auth
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Authentication bypass in @acastellon/auth (npm package, aka antonio-castellon/module-auth) before 2.3.0 lets a remote unauthenticated attacker impersonate a trusted internal service by sending spoofed 'auth-user' and 'Host' request headers. The validateToken() middleware short-circuits its own token check when auth-user equals 'service-brother' and the Host header starts with the configured hostname - both fully client-controllable - so an attacker skips legacy/JWT/OIDC validation entirely. No public exploit identified at time of analysis, but the flaw is trivially reproducible from the advisory and carries CVSS 4.0 8.7 (high).

Authentication Bypass Module Auth
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy