OAuth2 Proxy Authentication Bypass Vulnerability in Health Check User-Agent Matching

A critical authentication bypass vulnerability has been identified in OAuth2 Proxy versions prior to 7.15.2. This issue arises in configurations using an 'auth_request' integration, such as with nginx, where the '--ping-user-agent' option is enabled or Google Cloud Platform health checks are active. In these scenarios, OAuth2 Proxy incorrectly validates requests with the health check User-Agent as successful, allowing unauthenticated remote attackers to access protected resources without going through the normal authentication process. Deployments not using 'auth_request' subrequests or those that do not enable the relevant user-agent options are not affected.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling unauthorized access to protected upstream resources.

Remediation

Users should upgrade to OAuth2 Proxy version 7.15.2 or later. For those using versions prior to 7.15.2 with 'auth_request' authentication, the vulnerability can be mitigated by disabling '--gcp-healthchecks', removing any configured '--ping-user-agent', ensuring the reverse proxy does not forward client-controlled User-Agent headers to the OAuth2 Proxy auth subrequest, and using path-based health checks on dedicated health check endpoints.