CVE-2025-54576
📋 TL;DR
This vulnerability allows attackers to bypass authentication in OAuth2-Proxy by crafting URLs with query parameters that match regex patterns in the skip_auth_routes configuration. Organizations using OAuth2-Proxy versions 7.10.0 and below with regex patterns in skip_auth_routes are affected. The bypass occurs because the regex matching includes query parameters in the comparison.
💻 Affected Systems
- oauth2-proxy
📦 What is this software?
Oauth2 Proxy by Oauth2 Proxy Project
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass allowing unauthorized access to all protected resources behind the proxy, potentially exposing sensitive data and systems.
Likely Case
Targeted authentication bypass for specific protected endpoints, leading to unauthorized data access or privilege escalation.
If Mitigated
Limited or no impact if skip_auth_routes uses exact path matches or properly anchored regex patterns without wildcards.
🎯 Exploit Status
Exploitation requires knowledge of skip_auth_routes patterns and involves simple URL manipulation with query parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.11.0
Vendor Advisory: https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7rh7-c77v-6434
Restart Required: Yes
Instructions:
1. Update oauth2-proxy to version 7.11.0 or later. 2. Restart the oauth2-proxy service. 3. Verify the update with 'oauth2-proxy --version'.
🔧 Temporary Workarounds
Audit and tighten regex patterns
allReview all skip_auth_routes configurations and replace overly permissive patterns with exact path matches or properly anchored regex.
Review configuration files for skip_auth_routes patterns
Implement query parameter stripping
allAdd custom middleware to strip query parameters before regex matching in the request processing pipeline.
Implement custom request processing logic before oauth2-proxy
🧯 If You Can't Patch
- Audit all skip_auth_routes configurations and ensure regex patterns are properly anchored with ^ and $
- Replace wildcard patterns with exact path matches wherever possible
🔍 How to Verify
Check if Vulnerable:
Check if using oauth2-proxy version 7.10.0 or below AND have skip_auth_routes configured with regex patterns containing wildcards or broad matching.Check Version:
oauth2-proxy --versionVerify Fix Applied:
Verify oauth2-proxy version is 7.11.0 or later and test authentication bypass attempts with crafted URLs containing query parameters.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to protected routes without authentication logs
- Requests with crafted query parameters matching skip_auth_routes patterns
Network Indicators:
- HTTP requests with query parameters accessing typically protected endpoints without authentication headers
SIEM Query:
source="oauth2-proxy" AND (event="authentication_bypass" OR (status=200 AND auth="none" AND uri MATCHES skip_auth_routes_patterns))🔗 References
- https://github.com/oauth2-proxy/oauth2-proxy/blob/f4b33b64bd66ad28e9b0d63bea51837b83c00ca1/oauthproxy.go#L582-L584
- https://github.com/oauth2-proxy/oauth2-proxy/blob/f4b33b64bd66ad28e9b0d63bea51837b83c00ca1/pkg/requests/util/util.go#L37-L44
- https://github.com/oauth2-proxy/oauth2-proxy/commit/9ffafad4b2d2f9f7668e5504565f356a7c047b77
- https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.11.0
- https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7rh7-c77v-6434
- https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview/#proxy-options
