9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54576

GHSA ID

GHSA-7rh7-c77v-6434

EPSS Score

CWE

CWE-290

Published

7/30/2025

Updated

7/30/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54576

CVE-2025-54576: OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion

Impact

This vulnerability affects oauth2-proxy deployments using the skip_auth_routes configuration option with regex patterns. The vulnerability allows attackers to bypass authentication by crafting URLs with query parameters that satisfy the configured regex patterns, potentially gaining unauthorized access to protected resources.

The issue stems from skip_auth_routes matching against the full request URI (path + query parameters) instead of just the path as documented. This discrepancy enables authentication bypass attacks where attackers append malicious query parameters to access protected endpoints.

Example Attack:

Configuration: skip_auth_routes = [ "^/foo/.*/bar$" ]
Intended behavior: Allow /foo/something/bar
Actual vulnerability: Also allows /foo/critical_endpoint?param=/bar

Deployments using skip_auth_routes with regex patterns containing wildcards or broad matching patterns are most at risk, especially when backend services ignore unknown query parameters.

Patches

A patch has been release with version v7.11.0.

Workarounds

Immediate mitigations:

Review regex patterns: Audit all skip_auth_routes configurations for overly permissive patterns
Use precise patterns: Replace wildcard patterns with exact path matches where possible
Anchor patterns: Ensure regex patterns are properly anchored (start with ^ and end with $)
Path-only matching: Consider implementing custom validation that strips query parameters before regex matching

Example secure configuration:

# Instead of: "^/public/.*"
# Use specific paths: "^/public/assets$", "^/public/health$"
skip_auth_routes = ["^/public/assets$", "^/public/health$", "^/api/status$"]

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54576

GHSA ID

GHSA-7rh7-c77v-6434

EPSS Score

CWE

CWE-290

Published

7/30/2025

Updated

7/30/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/oauth2-proxy/oauth2-proxy/v7	go	<= 7.10.0	7.11.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an authentication bypass in the skip_auth_routes feature of oauth2-proxy. The root cause is that the regular expression matching for the skip routes was performed against the full request URI, including query parameters, instead of just the URL path. This flaw is located in the isAllowedPath function in oauthproxy.go, which used the requestutil.GetRequestURI function to get the string for matching. An attacker could exploit this by sending a request to a protected endpoint and adding a query string that matches a configured skip_auth_routes pattern. For instance, if ^/public/.* was configured as a skip route, a request to /protected_endpoint?param=/public/page would incorrectly match the rule and bypass authentication. The patch addresses this by introducing a new function, requestutil.GetRequestPath, which strips query parameters from the URI before the regex matching occurs in isAllowedPath. The analysis of the patch clearly points to isAllowedPath as the location of the flawed logic and util.GetRequestURI as the source of the unsanitized input that enables the bypass.

Vulnerable functions

isAllowedPath

oauthproxy.go

This function is responsible for checking if a request path is allowed to skip authentication based on the 'skip_auth_routes' configuration. The vulnerability lies in this function's use of `requestutil.GetRequestURI(req)`, which includes query parameters in the string being matched against the regex. This allowed an attacker to craft a URL with query parameters that would match a skip rule, thus bypassing authentication for a protected endpoint.

util.GetRequestURI

pkg/requests/util/util.go

This function retrieves the request URI. In the context of this vulnerability, it provides the unsanitized input (the full URI including query parameters) to the `isAllowedPath` function. An attacker's crafted URL, containing malicious query parameters, would be processed by this function, and its output would lead to the authentication bypass in `isAllowedPath`. Therefore, this function is a key part of the exploit chain.

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility *****ts o*ut**-proxy **ploym*nts usin* t** `skip_*ut*_rout*s` *on*i*ur*tion option wit* r***x p*tt*rns. T** vuln*r**ility *llows *tt**k*rs to *yp*ss *ut**nti**tion *y *r**tin* URLs wit* qu*ry p*r*m*t*rs t**t s*tis*y t**

Reasoning

T** vuln*r**ility is *n *ut**nti**tion *yp*ss in t** `skip_*ut*_rout*s` ***tur* o* `o*ut**-proxy`. T** root **us* is t**t t** r**ul*r *xpr*ssion m*t**in* *or t** skip rout*s w*s p*r*orm** ***inst t** *ull r*qu*st URI, in*lu*in* qu*ry p*r*m*t*rs, inst

9.1

Basic Information

Concerned about an active attack path?

CVE-2025-54576: OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion

Impact

Patches

Workarounds

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI