OAuth2-Proxy Vulnerability Enables Authentication Bypass by Manipulating Query Parameters
A critical security vulnerability has been identified in OAuth2-Proxy, a widely-used reverse proxy that provides authentication services for Google, Azure, OpenID Connect, and numerous other identity providers.
The vulnerability, designated as CVE-2025-54576, enables attackers to bypass authentication mechanisms by manipulating query parameters in crafted URLs, potentially granting unauthorized access to protected resources.
Key Takeaways
1. OAuth2-Proxy <7.10.0 has a critical authentication bypass.
2. System matches full URI instead of path-only, allowing malicious URLs to bypass security.
3. Upgrade to v7.11.0 and use specific regex patterns instead of wildcards.
OAuth2-Proxy Vulnerability
The vulnerability specifically affects OAuth2-Proxy deployments utilizing the skip_auth_routes configuration option with regex patterns.
The security flaw stems from the system’s incorrect handling of request URI matching, where the authentication bypass occurs because skip_auth_routes matches against the complete request URI (including both path and query parameters) rather than just the path component as documented.
This discrepancy creates a significant attack vector where malicious actors can append specially crafted query parameters to URLs, effectively satisfying configured regex patterns and circumventing authentication controls.
For example, a configuration setting skip_auth_routes = [ “^/foo/.*/bar$” ] intended to allow access only to /foo/something/bar can be exploited to also permit access to /foo/critical_endpoint?param=/bar.
The vulnerability code is present in oauthproxy.go#L582-584 and pkg/requests/util/util.go#L37-L44, where the improper URI handling logic resides.
This vulnerability is rated as Critical with a CVSS v3.1 score reflecting high confidentiality and integrity impact (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Deployments most at risk include those using skip_auth_routes with regex patterns containing wildcards or broad matching patterns, particularly when backend services ignore unknown query parameters.
| Risk Factors | Details |
| Affected Products | OAuth2-Proxy versions < 7.10.0 |
| Impact | – Authentication bypass- Unauthorized access to protected resources- High confidentiality and integrity compromise |
| Exploit Prerequisites | – Deployment uses skip_auth_routes configuration- Regex patterns with wildcards or broad matching- Backend services that ignore unknown query parameters |
| CVSS 3.1 Score | 9.1 (Critical) |
Mitigations
OAuth2-Proxy maintainers have released version 7.11.0 as a patched solution, addressing the vulnerability for all affected versions below 7.10.0.
For immediate mitigation, security teams should audit all skip_auth_routes configurations for overly permissive patterns, replace wildcard patterns with exact path matches where feasible, and ensure regex patterns are properly anchored using ^ and $ markers.
A secure configuration example includes replacing broad patterns like “^/public/.*” with specific paths such as [“^/public/assets$”, “^/public/health$”, “^/api/status$”].
Organizations should prioritize upgrading to the patched version while implementing these interim security measures to prevent potential authentication bypass attacks.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
Source link
