Summary
CVE-2025-54576 is a critical logic/validation flaw in oauth2-proxy (versions up through 7.10.0) tied to how skip_auth_routes regexes are evaluated. Instead of matching only the request path, configured regex rules were applied against the entire request URI (path plus query string). An attacker can append crafted query parameters so that a protected endpoint’s request URI satisfies a skip rule and authentication is bypassed. The project fixed the issue in v7.11.0.
Urgent Actions Required
- Upgrade OAuth2-Proxy to version 7.11.0 or later immediately.
- Review all skip_auth_routes configurations for overly broad regex patterns.
- Replace wildcard rules with exact path matches wherever possible.
- Anchor regex patterns with ^ at the start and $ at the end.
- If upgrading isn’t possible yet, strip query parameters before applying regex.
Which Systems Are Vulnerable to CVE-2025-54576?
Technical Overview
- Vulnerability Type: Authentication Bypass via regex in skip_auth_routes (query parameter inclusion)
- Affected Software/Versions:
OAuth2-Proxy ≤ 7.10.0 - Attack Vector: Network (HTTP/HTTPS)
- CVSS Score: 9.1
- CVSS Vector: CVSS:3.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
- Patch Availability: Yes, fixed in version 7.11.0[2]
How Does the CVE-2025-54576 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2025-54576?
Vulnerability Root Cause:
The issue comes from how skip_auth_routes regexes are checked. The code matched the full request URI, including both the path and the query string, instead of only the path. This means an attacker could add query parameters that match a skip rule and trick oauth2-proxy into skipping authentication for protected endpoints. The matching logic was fixed in version 7.11.0.
How Can You Mitigate CVE-2025-54576?
If immediate patching is delayed or not possible:
- Strip query strings before route-matching. Perform path-only matching at the proxy or a pre-processing layer so skip_auth_routes never sees query parameters.
- Temporarily remove or tighten skip_auth_routes entries. Disable any rules that use broad wildcards until they can be reviewed.
- Replace wildcard rules with explicit paths and anchor patterns with ^ and $ so they match only intended endpoints.
- Add upstream validation to reject requests with unexpected path-like values in query parameters. Backends should not accept requests where query values look like other protected paths.
- Deploy WAF / IDS/SIEM rules to flag requests whose query strings contain path-like values that match your skip patterns (hunt for ?param=/… or similar).
- Review request logs and auth logs for instances where a protected path was served while a query parameter contained a path fragment; treat these as high-priority alerts.
Which Assets and Systems Are at Risk?
Asset Types Affected:
- Web Applications – Apps using vulnerable OAuth2-Proxy versions (≤7.10.0)
- API Services – Especially those protected via skip_auth_routes with regex-based access rules
- Reverse Proxies or Load Balancers – Deployments that integrate OAuth2-Proxy as a middleware component
Business-Critical Systems at Risk:
- Customer-facing web portals – If access is controlled via OAuth2-Proxy with vulnerable skip_auth_routes
- Admin Panels – Risk of unauthorized access to sensitive configuration or management interfaces
- Internal dashboards or tools – Protected via OAuth2-Proxy skip_auth_routes patterns
Exposure Level:
- Internet-facing applications – Directly reachable apps using vulnerable OAuth2-Proxy versions
- Internal web applications – If the deployment uses vulnerable skip_auth_routes rules and query parameters are not validated
Will Patching CVE-2025-54576 Cause Downtime?
Patch application impact: Low. Upgrade OAuth2-Proxy to v7.11.0. Redeployments usually cause minimal downtime if using CI/CD or containers.
Mitigation (if immediate patching is not possible): Audit skip_auth_routes, avoid wildcards, anchor regex, or strip query parameters before matching. Partial risk reduction only; full patch needed to secure endpoints.
How Can You Detect CVE-2025-54576 Exploitation?
Exploitation Signatures:
- Requests with query parameters crafted to match skip_auth_routes regex patterns.
Indicators of Compromise (IOCs/IOAs):
- Access to protected URLs without authentication.
Behavioral Indicators:
- Authentication checks skipped on protected routes.
Where Can I Find More Information on CVE-2025-54576?
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 9.1 | Critical severity, indicating high risk due to authentication bypass |
| Attack Vector | Network | Exploitable remotely over HTTP/HTTPS without physical access |
| Attack Complexity | Low | Does not require special conditions; straightforward exploitation |
| Privileges Required | None | No authentication or elevated privileges needed |
| User Interaction | None | Exploit does not require any user action |
| Scope | UnChanged | Only affects the vulnerable oauth2-proxy component |
| Confidentiality Impact | High | Exploit can give unauthorized access to sensitive data or protected endpoints |
| Integrity Impact | High | xploit can allow bypassing authentication controls and accessing restricted resources |
| Availability Impact | None | No direct impact on system availability reported |
