CVE-2025-54576
published 2025-07-30CVE-2025-54576: OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load…
PriorityP262critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
1.13%
62.4th percentile
OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions 7.10.0 and below, oauth2-proxy deployments are vulnerable when using the skip_auth_routes configuration option with regex patterns. Attackers can bypass authentication by crafting URLs with query parameters that satisfy configured regex patterns, allowing unauthorized access to protected resources. The issue stems from skip_auth_routes matching against the full request URI. Deployments using skip_auth_routes with regex patterns containing wildcards or broad matching patterns are most at risk. This issue is fixed in version 7.11.0. Workarounds include: auditing all skip_auth_routes configurations for overly permissive patterns, replacing wildcard patterns with exact path matches where possible, ensuring regex patterns are properly anchored (starting with ^ and ending with $), or implementing custom validation that strips query parameters before regex matching.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | oauth2-proxy_oauth2-proxy_v7 | >= 0 < 7.11.0 | 7.11.0 |
| oauth2-proxy | oauth2-proxy | < 7.11.0 | 7.11.0 |
| oauth2_proxy_project | oauth2_proxy | < 7.11.0 | 7.11.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Authentication bypass is triggered by crafting URLs with query parameters that satisfy skip_auth_routes regex patterns — monitor for requests to protected resources where the URI contains unexpected query parameters matching configured skip_auth_routes patterns ↗
- →The bypass occurs because skip_auth_routes matches against the full request URI (including query string), not just the path — detection logic should flag unauthenticated requests to protected paths that contain query parameters ↗
- →Deployments using skip_auth_routes with wildcard or broad regex patterns are most at risk — audit configurations for unanchored patterns (missing ^ prefix or $ suffix) as these are the exploitable configurations ↗
- →HTTP query parameters are the attack vector — inspect access logs for requests to skip_auth_routes-protected endpoints that include query strings not normally expected on those paths ↗
- →Only oauth2-proxy versions 7.10.0 and below are vulnerable — identify and flag deployments running these versions in your environment ↗
- ·Vulnerability only affects deployments that have manually configured the skip_auth_routes option with a regular expression — default configurations are NOT affected ↗
- ·Regex patterns in skip_auth_routes must be properly anchored (starting with ^ and ending with $) to prevent query-parameter-based bypass; unanchored or wildcard patterns are the exploitable condition ↗
- ·Red Hat Ceph Storage 8 (rhceph/oauth2-proxy-rhel9) is confirmed NOT affected ↗
- ·The fix is available in version 7.11.0; as an interim workaround, replace wildcard patterns with exact path matches or strip query parameters before regex matching ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
github.com/oauth2-proxy/oauth2-proxy: OAuth2-Proxy authentication bypass
vendor_redhat·2025-07-30·CVSS 9.1
CVE-2025-54576 [CRITICAL] CWE-290 github.com/oauth2-proxy/oauth2-proxy: OAuth2-Proxy authentication bypass
github.com/oauth2-proxy/oauth2-proxy: OAuth2-Proxy authentication bypass
OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions 7.10.0 and below, oauth2-proxy deployments are vulnerable when using the skip_auth_routes configuration option with regex patterns. Attackers can bypass authentication by crafting URLs with query parameters that satisfy configured regex patterns, allowing unauthorized access to protected resources. The issue stems from skip_auth_routes matching against the full request URI. Deployments using skip_auth_routes with regex patterns containing wildcards or broad matching patterns are most at risk. This issue is fixed in version 7.11.0. W
OSV
OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion in github.com/oauth2-proxy/oauth2-proxy
osv·2025-08-11
CVE-2025-54576 OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion in github.com/oauth2-proxy/oauth2-proxy
OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion in github.com/oauth2-proxy/oauth2-proxy
OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion in github.com/oauth2-proxy/oauth2-proxy
GHSA
OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion
ghsa·2025-07-30
CVE-2025-54576 [CRITICAL] CWE-290 OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion
OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion
### Impact
This vulnerability affects oauth2-proxy deployments using the `skip_auth_routes` configuration option with regex patterns. The vulnerability allows attackers to bypass authentication by crafting URLs with query parameters that satisfy the configured regex patterns, potentially gaining unauthorized access to protected resources.
The issue stems from `skip_auth_routes` matching against the full request URI (path + query parameters) instead of just the path as documented. This discrepancy enables authentication bypass attacks where attackers append malicious query parameters to access protected endpoints.
Example Attack:
* Configuration: `skip_auth_routes = [ "^/foo/.*/bar$"
OSV
OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion
osv·2025-07-30
CVE-2025-54576 [CRITICAL] OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion
OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion
### Impact
This vulnerability affects oauth2-proxy deployments using the `skip_auth_routes` configuration option with regex patterns. The vulnerability allows attackers to bypass authentication by crafting URLs with query parameters that satisfy the configured regex patterns, potentially gaining unauthorized access to protected resources.
The issue stems from `skip_auth_routes` matching against the full request URI (path + query parameters) instead of just the path as documented. This discrepancy enables authentication bypass attacks where attackers append malicious query parameters to access protected endpoints.
Example Attack:
* Configuration: `skip_auth_routes = [ "^/foo/.*/bar$"
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/oauth2-proxy/oauth2-proxy/blob/f4b33b64bd66ad28e9b0d63bea51837b83c00ca1/oauthproxy.go#L582-L584https://github.com/oauth2-proxy/oauth2-proxy/blob/f4b33b64bd66ad28e9b0d63bea51837b83c00ca1/pkg/requests/util/util.go#L37-L44https://github.com/oauth2-proxy/oauth2-proxy/commit/9ffafad4b2d2f9f7668e5504565f356a7c047b77https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.11.0https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7rh7-c77v-6434https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview/#proxy-options
2025-07-30
Published