OAuth2-Proxy Authentication Bypass Vulnerability in Skip Auth Routes Configuration

A critical authentication bypass vulnerability has been identified in OAuth2-Proxy versions prior to 7.10.0. The issue arises in deployments using the skip_auth_routes configuration option with regex patterns, where the patterns match against the full request URI, including query parameters, instead of just the path. This allows attackers to craft URLs that bypass authentication and access protected resources. The vulnerability is most pronounced when backend services ignore unknown query parameters.

Impact

Exploitation of this vulnerability allows for authentication bypass, granting unauthorized access to protected resources.

Reproduction

To reproduce this vulnerability, deploy OAuth2-Proxy with a skip_auth_routes configuration that includes a regex pattern matching query parameters. When a request is made to a protected resource that includes query parameters matching the regex, authentication will be bypassed, and access will be granted.

Remediation

Users can update to OAuth2-Proxy version 7.11.0 or later, where this vulnerability has been fixed. Additionally, review and adjust any skip_auth_routes configurations that may be overly permissive, replacing wildcard patterns with exact path matches where possible, and ensuring regex patterns are properly anchored to match only the intended paths.