CVE-2025-54576 Overview
OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions 7.10.0 and below, oauth2-proxy deployments are vulnerable when using the skip_auth_routes configuration option with regex patterns. Attackers can bypass authentication by crafting URLs with query parameters that satisfy configured regex patterns, allowing unauthorized access to protected resources.
The issue stems from skip_auth_routes matching against the full request URI rather than just the path component. Deployments using skip_auth_routes with regex patterns containing wildcards or broad matching patterns are most at risk. This vulnerability is classified as CWE-290 (Authentication Bypass by Spoofing).
Critical Impact
Attackers can completely bypass OAuth2 authentication controls by manipulating URL query parameters, potentially gaining unauthorized access to protected resources and sensitive data in affected deployments.
Affected Products
- OAuth2-Proxy versions 7.10.0 and below
- oauth2_proxy_project oauth2_proxy
- Deployments using skip_auth_routes with regex patterns containing wildcards or broad matching patterns
Discovery Timeline
- 2025-07-30 - CVE CVE-2025-54576 published to NVD
- 2025-09-10 - Last updated in NVD database
Technical Details for CVE-2025-54576
Vulnerability Analysis
This Authentication Bypass vulnerability exists in how OAuth2-Proxy processes the skip_auth_routes configuration option. When administrators configure regex patterns to skip authentication for specific routes (such as health check endpoints or public assets), the matching logic incorrectly operates against the full request URI, including query parameters.
This design flaw allows attackers to append carefully crafted query parameters to authenticated endpoints. If the resulting full URI matches any configured skip_auth_routes pattern, the proxy bypasses authentication entirely, granting access to protected resources without valid credentials.
The vulnerability is particularly dangerous because many common configurations use permissive patterns like .*\.js$ or /public/.* that can be easily exploited through query string manipulation. The network-accessible nature of OAuth2-Proxy deployments means remote attackers can exploit this without any prior authentication.
Root Cause
The root cause lies in the skip_auth_routes regex matching implementation within the OAuth2-Proxy codebase. As documented in the vulnerable source code, the matching function evaluates patterns against the complete request URI rather than isolating the path component.
The utility functions responsible for URI processing do not strip or sanitize query parameters before regex evaluation, enabling the bypass condition when attackers include path-like strings within query parameter values.
Attack Vector
The attack leverages network access to the OAuth2-Proxy endpoint. An attacker identifies protected resources behind the proxy and examines or guesses the skip_auth_routes configuration patterns. By appending query parameters that cause the full URI to match an allowlisted pattern, the attacker can access protected endpoints without authentication.
For example, if the configuration includes a pattern like ^/health.*, an attacker could access /admin/dashboard?x=/health and potentially bypass authentication if the regex matches the full URI. Alternatively, patterns like .*\.css$ could be exploited by requesting /api/sensitive?file=style.css.
The attack requires no authentication, no user interaction, and can be executed remotely with low complexity. While the vulnerability does not directly impact system availability, it allows complete compromise of confidentiality and integrity of protected resources.
Detection Methods for CVE-2025-54576
Indicators of Compromise
- Unusual query parameters appended to protected endpoints that contain path-like strings or file extensions
- Access log entries showing successful requests to protected resources without corresponding authentication events
- Requests to authenticated endpoints with query strings containing patterns matching skip_auth_routes configurations
- Anomalous user agent strings or request patterns targeting multiple endpoints with similar query parameter structures
Detection Strategies
- Review OAuth2-Proxy access logs for requests to protected endpoints that include suspicious query parameters containing path fragments or file extensions
- Implement Web Application Firewall (WAF) rules to detect query parameters containing patterns commonly used in skip_auth_routes configurations
- Deploy anomaly detection to identify requests that successfully access protected resources without prior authentication flows
- Monitor for enumeration attempts where attackers systematically test various query parameter patterns against protected endpoints
Monitoring Recommendations
- Enable verbose logging in OAuth2-Proxy to capture full request URIs including query parameters for forensic analysis
- Implement SIEM correlation rules to detect successful access to protected resources that bypass normal authentication patterns
- Configure alerting for unusual ratios of authenticated versus unauthenticated successful requests to protected endpoints
- Audit skip_auth_routes configurations periodically and log any changes to these critical security settings
How to Mitigate CVE-2025-54576
Immediate Actions Required
- Upgrade OAuth2-Proxy to version 7.11.0 immediately as this version contains the security fix
- Audit all existing skip_auth_routes configurations for overly permissive regex patterns
- Review access logs for evidence of exploitation attempts targeting the authentication bypass
- Implement additional authentication controls at the upstream application level as defense in depth
Patch Information
The vulnerability is fixed in OAuth2-Proxy version 7.11.0. The fix is available in commit 9ffafad4b2d2f9f7668e5504565f356a7c047b77 and the release can be obtained from the v7.11.0 release tag. Organizations should prioritize this upgrade given the critical severity and network-exploitable nature of the vulnerability.
For detailed information about the fix, refer to the GitHub Security Advisory GHSA-7rh7-c77v-6434.
Workarounds
- Replace wildcard patterns with exact path matches where possible (e.g., use ^/health$ instead of /health.*)
- Ensure all regex patterns are properly anchored by starting with ^ and ending with $ to prevent partial matching
- Implement custom validation at the upstream application or reverse proxy layer that strips query parameters before security decisions
- Consider temporarily removing skip_auth_routes configurations for sensitive deployments until the upgrade can be completed
# Configuration hardening example for oauth2-proxy
# Replace overly permissive patterns with anchored exact matches
# BEFORE (vulnerable):
# skip_auth_routes = ["/health.*", ".*\.js$"]
# AFTER (hardened):
# Use exact path matching with proper anchoring
skip_auth_routes = ["^/health$", "^/healthz$", "^/static/.*\\.js$"]
# Verify no query parameter bypasses are possible by testing:
# curl -v "https://proxy.example.com/protected?x=/health"
# Should return 401/403, not 200
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
