OAuth2 Proxy Authentication Bypass Vulnerability via X-Forwarded-Uri Header Spoofing

A critical authentication bypass vulnerability has been identified in OAuth2 Proxy versions 7.5.0 prior to 7.15.2. When the reverse proxy feature is enabled, along with skip authentication rules, the application may incorrectly trust client-supplied X-Forwarded-Uri headers. This allows attackers to manipulate the header and bypass authentication, accessing protected routes without a valid session. The vulnerability affects deployments using OAuth2 Proxy with reverse proxy enabled and at least one skip authentication rule.

Impact

Exploitation of this vulnerability allows unauthenticated remote attackers to bypass authentication and access protected routes without a valid session.

Remediation

Users can upgrade to OAuth2 Proxy version 7.15.2 or later, and should use the new --trusted-proxy-ip flag to specify which IPs or CIDR ranges are allowed to send X-Forwarded headers. For those who cannot upgrade immediately, it is recommended to strip client-provided X-Forwarded-Uri headers at the reverse proxy or load balancer level, overwrite X-Forwarded-Uri with the actual request URI before forwarding to OAuth2 Proxy, restrict direct client access to OAuth2 Proxy, and remove or narrow skip-auth-route or skip-auth-regex rules where possible.