Critical OAuth2-Proxy Flaw (CVE-2025-54576, CVSS 9.1) Allows Authentication Bypass via Query Parameters

A critical vulnerability in the popular OAuth2-Proxy open-source authentication tool has been discovered, allowing attackers to bypass authentication protections by manipulating query parameters. Tracked as CVE-2025-54576, this flaw has received a CVSS score of 9.1, highlighting the high potential impact on OAuth2-protected web applications.

OAuth2-Proxy is widely used to secure web applications by acting as a reverse proxy or middleware component. It redirects user requests to OAuth2 or OIDC providers for authentication, integrating easily into existing infrastructures such as load balancers or Kubernetes ingress controllers.

It provides a simple and secure way to protect your web applications with OAuth2 / OIDC authentication and is a flexible, open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups.

The flaw lies in the skip_auth_routes configuration option, which allows developers to define URL routes that should bypass authentication checks using regular expressions (regex). However, OAuth2-Proxy incorrectly matches these regex patterns against the full request URI, including query parameters, rather than just the URL path as the documentation suggests.

This opens the door for attackers to bypass authentication by appending carefully crafted query parameters that trigger a match in the regex pattern—even when the base path itself is protected.

“The issue stems from skip_auth_routes matching against the full request URI (path + query parameters) instead of just the path as documented,” the advisory warns.

An attacker can abuse this vulnerability using URLs that exploit permissive regex patterns. For example:

• Configuration: skip_auth_routes = [ “^/foo/.*/bar$” ]
• Intended behavior: Allow /foo/something/bar
• Actual vulnerability: Also allows /foo/critical_endpoint?param=/bar

This attack is particularly effective against backends that ignore or tolerate unexpected query parameters.

“Deployments using skip_auth_routes with regex patterns containing wildcards or broad matching patterns are most at risk,” especially when “backend services ignore unknown query parameters,” the report adds.

The vulnerability has been addressed in OAuth2-Proxy version v7.11.0. Affected users are urged to upgrade immediately.

For those unable to upgrade right away, the advisory provides several immediate workarounds:

1. Review regex patterns: Audit all skip_auth_routes configurations for overly permissive patterns
2. Use precise patterns: Replace wildcard patterns with exact path matches where possible
3. Anchor patterns: Ensure regex patterns are properly anchored (start with ^ and end with $)
4. Path-only matching: Consider implementing custom validation that strips query parameters before regex matching

Example secure configuration:

# Instead of: "^/public/.*"
# Use specific paths: "^/public/assets$", "^/public/health$"
skip_auth_routes = ["^/public/assets$", "^/public/health$", "^/api/status$"]

Related Posts:

• Thousands of false positives generated by face recognition technology used by British police
• Spring Boot Wildcard Security Bypass
• Path Traversal at Scale: Study Uncovers 1,756 Vulnerable GitHub Projects and LLM Contamination

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.