Overview
OAuth2-Proxy, an open-source reverse proxy middleware, is suffering from a critical vulnerability affecting versions 7.10.0 and below. This vulnerability can enable attackers to bypass authentication using the skip_auth_routes configuration option with regex patterns. Consequently, unauthorized users can gain access to protected resources, leading to potential system compromise and data leakage. The issue is of significant concern to organizations that use OAuth2-Proxy as part of their security infrastructure, potentially impacting the integrity and confidentiality of their systems.
Vulnerability Summary
CVE ID: CVE-2025-54576
Severity: Critical (CVSS: 9.1)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise or data leakage
Affected Products
Share secrets securely
Ameeba is private infrastructure for communication and sensitive work built on encrypted identity instead of exposed corporate identity systems.
Passwords, credentials, confidential files, screenshots, internal discussions, sensitive AI context, and private coordination should not become exposed across ordinary communication platforms.
- • Encrypted identity
- • Private Spaces for organizations and teams
- • End-to-end encrypted chat, calls, files, and notes
- • Sensitive AI work and protected collaboration
- • Built for information that cannot leak
Our mission is to secure human work alongside AI.
Product | Affected Versions
OAuth2-Proxy | 7.10.0 and below
How the Exploit Works
The vulnerability arises from OAuth2-Proxy’s use of the skip_auth_routes configuration option with regex patterns. Attackers can craft URLs with query parameters that satisfy the configured regex patterns, thereby bypassing authentication. The issue is primarily due to skip_auth_routes matching against the full request URI, allowing unauthorized access if the configured regex patterns are overly permissive, contain wildcards, or broad matching patterns.
Conceptual Example Code
Suppose there’s a misconfigured regex pattern in the skip_auth_routes that allows anything ending with a “/public”. An attacker could exploit this by crafting a URL with query parameters like so:
GET /private?redirect=/public HTTP/1.1
Host: vulnerable.example.comThis would bypass the authentication due to the misconfigured regex pattern, giving the attacker unauthorized access to the private endpoint.
Mitigation and Workarounds
The vulnerability is fixed in OAuth2-Proxy version 7.11.0. It is highly recommended to update to this version or later to mitigate this issue. If immediate patching is not possible, consider implementing workarounds such as:
– Auditing all skip_auth_routes configurations for overly permissive patterns.
– Replacing wildcard patterns with exact path matches where possible.
– Ensuring regex patterns are properly anchored (starting with ^ and ending with $).
– Implementing custom validation that strips query parameters before regex matching.
– Utilize Web Application Firewall (WAF) or Intrusion Detection System (IDS) for temporary mitigation.
Always ensure to follow best practices for security configuration and regularly update your systems to the latest versions to prevent similar vulnerabilities.