OAuth2 Proxy Authentication Bypass Vulnerability in skip_auth_routes and skip_auth_regex

An authentication bypass vulnerability has been identified in OAuth2 Proxy, specifically in versions 7.5.0 prior to 7.15.2. This vulnerability is configuration-dependent and arises when deployments use skip_auth_routes or the legacy skip_auth_regex, along with patterns that can be manipulated by attacker-controlled suffixes. The issue is further compounded when protected upstream applications treat '#' as a fragment delimiter or route requests to the protected base path. In such cases, an unauthenticated attacker can exploit the vulnerability by sending a crafted request that includes a number sign in the path, either as a plain character or encoded form, allowing OAuth2 Proxy to match a public allowlist rule while the backend serves a protected resource.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling unauthenticated access to protected resources on the backend application.

Remediation

Users can upgrade to OAuth2 Proxy version 7.15.2 or later, where this vulnerability has been patched. For those unable to upgrade immediately, it is recommended to tighten or remove skip_auth_routes and skip_auth_regex rules, especially those with broad wildcards across path segments. Additionally, sensitive application paths should not be placed behind broad skip_auth_routes rules.