js · @acastellon/authCritical
@acastellon/auth v2.2.0: validateToken() authentication bypass via spoofable headers
In @acastellon/auth v2.2.0, the validateToken() middleware has a service-to-service bypass that can be exploited by an unauthenticated attacker via spoofable au
What changed
In @acastellon/auth v2.2.0, the validateToken() middleware has a service-to-service bypass that can be exploited by an unauthenticated attacker via spoofable auth-user and Host headers, allowing authentication bypass.
Who it affects
All users of @acastellon/auth v2.2.0, especially those relying on validateToken() for route protection and downstream services trusting auth-user or is-* headers.
What to do today
Upgrade to v2.3.0+ immediately to remove the spoofable bypass and enforce mTLS-based service authentication.
The trail
Collected→
Audited→
Written→
Published