A significant security flaw has been discovered in OAuth2-Proxy, a widely utilized open-source tool that provides authentication services for various identity providers, including Google, Azure, and OpenID Connect. This vulnerability, identified as CVE-2025-54576, allows attackers to bypass authentication mechanisms by manipulating query parameters in URLs, potentially granting unauthorized access to protected resources.
Understanding the Vulnerability
OAuth2-Proxy serves as a reverse proxy, facilitating authentication for applications by integrating with identity providers. A critical component of its configuration is the `skip_auth_routes` option, which uses regular expressions (regex) to define routes that should bypass authentication. The vulnerability arises from the system’s improper handling of request URIs. Specifically, `skip_auth_routes` matches against the full request URI—including both the path and query parameters—rather than just the path component as intended. This misconfiguration enables attackers to craft URLs with query parameters that satisfy the regex patterns, effectively circumventing authentication controls.
Technical Details
Consider a configuration where `skip_auth_routes` is set to `[ “^/foo/./bar$” ]`. This pattern is intended to allow access to paths like `/foo/something/bar`. However, due to the vulnerability, an attacker can exploit this by accessing a URL such as `/foo/critical_endpoint?param=/bar`. The inclusion of the query parameter `?param=/bar` causes the full URI to match the regex pattern, thereby bypassing authentication and granting unauthorized access to the `critical_endpoint`.
The root cause of this issue lies in the code handling URI matching. Specifically, the vulnerability is present in the following code segments:
– `oauthproxy.go` at lines 582-584
– `pkg/requests/util/util.go` at lines 37-44
In these segments, the system matches the full request URI against the regex patterns defined in `skip_auth_routes`, including query parameters, leading to the authentication bypass.
Impact Assessment
This vulnerability is classified as critical, with a CVSS v3.1 score of 9.1, reflecting high impacts on confidentiality and integrity. The primary risks include:
– Authentication Bypass: Unauthorized users can access protected resources without proper authentication.
– Unauthorized Data Access: Sensitive information may be exposed to unauthorized parties.
– Potential Data Manipulation: Attackers could modify data or perform actions within the application without proper authorization.
Deployments most at risk are those using `skip_auth_routes` with regex patterns containing wildcards or broad matching patterns, especially when backend services ignore unknown query parameters.
Mitigation Strategies
To address this vulnerability, the maintainers of OAuth2-Proxy have released version 7.11.0, which rectifies the improper URI matching behavior. Organizations using affected versions (7.10.0 and below) are strongly advised to upgrade to this patched version immediately.
In addition to upgrading, the following mitigation steps are recommended:
1. Audit `skip_auth_routes` Configurations: Review all configurations to identify and modify overly permissive patterns. Replace wildcard patterns with exact path matches where feasible.
2. Anchor Regex Patterns: Ensure that regex patterns are properly anchored using `^` and `$` markers to match only the intended paths. For example, replace broad patterns like `”^/public/.”` with specific paths such as `[“^/public/assets$”, “^/public/health$”, “^/api/status$”]`.
3. Sanitize Query Parameters: Implement custom validation to strip query parameters before performing regex matching, ensuring that only the path component is evaluated.
4. Monitor and Log Access: Enhance monitoring and logging to detect unauthorized access attempts and identify potential exploitation of this vulnerability.
Conclusion
The discovery of CVE-2025-54576 underscores the importance of meticulous configuration and validation in authentication mechanisms. Organizations utilizing OAuth2-Proxy should promptly upgrade to version 7.11.0 and review their configurations to prevent potential exploitation. By implementing the recommended mitigation strategies, organizations can safeguard their applications against unauthorized access and maintain the integrity of their authentication processes.
