ORY Oathkeeper Authentication Bypass Vulnerability via Untrusted X-Forwarded-Proto Header

An authentication bypass vulnerability has been identified in ORY Oathkeeper versions prior to 26.2.0. The issue arises when Oathkeeper is deployed behind components like CDNs, WAFs, or reverse proxies, which can forward requests using a different protocol than originally sent. Oathkeeper evaluates rules based on the 'X-Forwarded-Proto' header, but prior to version 26.2.0, it did not properly respect the 'serve.proxy.trust_forwarded_headers' configuration, which controls the trust level of 'X-Forwarded-*' headers. This flaw allows an attacker to manipulate the 'X-Forwarded-Proto' header to bypass authentication rules, provided the Oathkeeper installation has separate rules for HTTP and HTTPS and the attacker can trigger one rule without the other.

Impact

Exploitation of this vulnerability allows for authentication bypass, as untrusted 'X-Forwarded-Proto' headers can be used to manipulate rule matching and gain unauthorized access.

Reproduction

To reproduce this vulnerability, deploy ORY Oathkeeper in a configuration that has distinct rules for HTTP and HTTPS requests. Ensure that the 'serve.proxy.trust_forwarded_headers' option is set to false, which is the default. Then, send a request to Oathkeeper with the 'X-Forwarded-Proto' header set to 'https' or 'http', depending on which rule you want to trigger. Oathkeeper will incorrectly apply the header as if it were trusted, potentially allowing access to resources that should be protected.

Remediation

Upgrade to ORY Oathkeeper version 26.2.0 or later, and ensure that the 'serve.proxy.trust_forwarded_headers' configuration is set appropriately. As an additional precaution, consider removing unexpected headers early in the request handling process, such as through a WAF.