9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54576

CVE-2025-54576: OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion

Impact

This vulnerability affects oauth2-proxy deployments using the skip_auth_routes configuration option with regex patterns. The vulnerability allows attackers to bypass authentication by crafting URLs with query parameters that satisfy the configured regex patterns, potentially gaining unauthorized access to protected resources.

The issue stems from skip_auth_routes matching against the full request URI (path + query parameters) instead of just the path as documented. This discrepancy enables authentication bypass attacks where attackers append malicious query parameters to access protected endpoints.

Example Attack:

Configuration: skip_auth_routes = [ "^/foo/.*/bar$" ]
Intended behavior: Allow /foo/something/bar
Actual vulnerability: Also allows /foo/critical_endpoint?param=/bar

Deployments using skip_auth_routes with regex patterns containing wildcards or broad matching patterns are most at risk, especially when backend services ignore unknown query parameters.

Patches

A patch has been release with version v7.11.0.

Workarounds

Immediate mitigations:

Review regex patterns: Audit all skip_auth_routes configurations for overly permissive patterns
Use precise patterns: Replace wildcard patterns with exact path matches where possible
Anchor patterns: Ensure regex patterns are properly anchored (start with ^ and end with $)
Path-only matching: Consider implementing custom validation that strips query parameters before regex matching

Example secure configuration:

# Instead of: "^/public/.*"
# Use specific paths: "^/public/assets$", "^/public/health$"
skip_auth_routes = ["^/public/assets$", "^/public/health$", "^/api/status$"]

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-54576

CVE-2025-54576:

9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/oauth2-proxy/oauth2-proxy/v7	go	<= 7.10.0	7.11.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an authentication bypass in the skip_auth_routes feature of oauth2-proxy. The root cause is that the regular expression matching for the skip routes was performed against the full request URI, including query parameters, instead of just the URL path. This flaw is located in the isAllowedPath function in oauthproxy.go, which used the requestutil.GetRequestURI function to get the string for matching. An attacker could exploit this by sending a request to a protected endpoint and adding a query string that matches a configured skip_auth_routes pattern. For instance, if ^/public/.* was configured as a skip route, a request to /protected_endpoint?param=/public/page would incorrectly match the rule and bypass authentication. The patch addresses this by introducing a new function, requestutil.GetRequestPath, which strips query parameters from the URI before the regex matching occurs in isAllowedPath. The analysis of the patch clearly points to isAllowedPath as the location of the flawed logic and util.GetRequestURI as the source of the unsanitized input that enables the bypass.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-54576: OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion

Impact

Patches

Workarounds

CVE-2025-54576:

9.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-54576: OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion

Impact

Patches

Workarounds

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

9.1

9.1

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI