User Impersonation Affecting @acastellon/auth package, versions <2.3.0


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.54% (42nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-ACASTELLONAUTH-17817129
  • published4 Jul 2026
  • disclosed18 Jun 2026
  • creditUnknown

Introduced: 18 Jun 2026

NewCVE-2026-58399  (opens in a new tab)
CWE-290  (opens in a new tab)

How to fix?

Upgrade @acastellon/auth to version 2.3.0 or higher.

Overview

@acastellon/auth is an Authorization Filtering for NodeJS Express Application (NTLM + LDAP + JWT + AWS Cognito + Azure AD/Entra ID + OIDC providers + SAML + env var secrets)

Affected versions of this package are vulnerable to User Impersonation via the validateToken process. An attacker can gain unauthorized access to protected routes and potentially escalate privileges by sending crafted HTTP requests with spoofed auth-user and Host headers, causing the middleware to bypass token validation before standard authentication checks are performed. This is only exploitable if downstream services trust the auth-user or is-* headers provided by the client.

CVSS Base Scores

version 4.0
version 3.1