{"id":5775,"date":"2025-07-31T10:04:57","date_gmt":"2025-07-31T10:04:57","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/07\/31\/oauth2-proxy-vulnerability-enables-authentication-bypass-by-manipulating-query-parameters\/"},"modified":"2025-07-31T10:04:57","modified_gmt":"2025-07-31T10:04:57","slug":"oauth2-proxy-vulnerability-enables-authentication-bypass-by-manipulating-query-parameters","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/07\/31\/oauth2-proxy-vulnerability-enables-authentication-bypass-by-manipulating-query-parameters\/","title":{"rendered":"OAuth2-Proxy Vulnerability Enables Authentication Bypass by Manipulating Query Parameters"},"content":{"rendered":"

OAuth2-Proxy Vulnerability Enables Authentication Bypass by Manipulating Query Parameters
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A critical security vulnerability has been identified in OAuth2-Proxy, a widely-used reverse proxy<\/a> that provides authentication services for Google, Azure, OpenID Connect, and numerous other identity providers.\u00a0<\/p>\n

The vulnerability, designated as CVE-2025-54576, enables attackers to bypass authentication mechanisms by manipulating query parameters in crafted URLs, potentially granting unauthorized access to protected resources.<\/p>\n

Key Takeaways<\/mark><\/strong>
1. OAuth2-Proxy <7.10.0 has a critical authentication bypass.
2. System matches full URI instead of path-only, allowing malicious URLs to bypass security.
3. Upgrade to v7.11.0 and use specific regex patterns instead of wildcards.<\/pre>\n
OAuth2-Proxy Vulnerability<\/strong><\/h2>\n
The vulnerability specifically affects OAuth2-Proxy deployments utilizing the skip_auth_routes configuration option with regex patterns.\u00a0<\/p>\n
The security flaw stems from the system\u2019s incorrect handling of request URI matching, where the authentication<\/a> bypass occurs because skip_auth_routes matches against the complete request URI (including both path and query parameters) rather than just the path component as documented.<\/p>\n
This discrepancy creates a significant attack vector where malicious actors can append specially crafted query parameters to URLs, effectively satisfying configured regex patterns and circumventing authentication controls.\u00a0<\/p>\n
For example, a configuration setting skip_auth_routes = [ \u201c^\/foo\/.*\/bar$\u201d ] intended to allow access only to \/foo\/something\/bar can be exploited to also permit access to \/foo\/critical_endpoint?param=\/bar.\u00a0<\/p>\n
The vulnerability code is present in oauthproxy.go#L582-584 and pkg\/requests\/util\/util.go#L37-L44, where the improper URI handling logic resides.<\/p>\n
This vulnerability is rated as Critical with a CVSS v3.1 score reflecting high confidentiality and integrity impact (CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:N).\u00a0<\/p>\n
Deployments most at risk include those using skip_auth_routes with regex patterns containing wildcards or broad matching patterns, particularly when backend services ignore unknown query parameters.<\/p>\n
\n\n\n\n\n\n\n\n
Risk Factors<\/strong><\/td>\nDetails<\/strong><\/td>\n<\/tr>\n
Affected Products<\/td>\nOAuth2-Proxy versions < 7.10.0<\/td>\n<\/tr>\n
Impact<\/td>\n\u2013 Authentication bypass- Unauthorized access to protected resources- High confidentiality and integrity compromise<\/td>\n<\/tr>\n
Exploit Prerequisites<\/td>\n\u2013 Deployment uses skip_auth_routes configuration- Regex patterns with wildcards or broad matching- Backend services that ignore unknown query parameters<\/td>\n<\/tr>\n
CVSS 3.1 Score<\/td>\n9.1 (Critical)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n
Mitigations<\/strong><\/h2>\n
OAuth2-Proxy maintainers have released<\/a> version 7.11.0 as a patched solution, addressing the vulnerability for all affected versions below 7.10.0.\u00a0<\/p>\n
For immediate mitigation, security teams should audit all skip_auth_routes configurations for overly permissive patterns, replace wildcard patterns with exact path matches where feasible, and ensure regex patterns are properly anchored using ^ and $ markers.\u00a0<\/p>\n
A secure configuration example includes replacing broad patterns like \u201c^\/public\/.*\u201d with specific paths such as [\u201c^\/public\/assets$\u201d, \u201c^\/public\/health$\u201d, \u201c^\/api\/status$\u201d].<\/p>\n
Organizations should prioritize upgrading to the patched version while implementing these interim security measures to prevent potential authentication bypass attacks.<\/p>\n
Integrate ANY.RUN TI Lookup<\/strong> with your SIEM or SOAR To Analyses Advanced Threats<\/strong> -> Try 50 Free Trial Searches<\/a> <\/strong><\/code><\/p>\n
The post OAuth2-Proxy Vulnerability Enables Authentication Bypass by Manipulating Query Parameters<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
 \t

\n 
<\/BR>
\n    Florence Nightingale
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n 
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"
OAuth2-Proxy Vulnerability Enables Authentication Bypass by Manipulating Query Parameters A critical security vulnerability has been identified in OAuth2-Proxy, a widely-used reverse proxy that provides authentication services for Google, Azure, OpenID Connect, and numerous other identity providers.\u00a0 The vulnerability, designated as CVE-2025-54576, enables attackers to bypass authentication mechanisms by manipulating query parameters in crafted URLs, potentially […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-5775","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5775"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=5775"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5775\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=5775"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=5775"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=5775"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}