OAuth2-Proxy: Header-Smuggling Auth Bypass in Front of Underscore-Sensitive Apps
CWE-444
Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Summary
Per GHSA-vjrc-mh2v-45×6: “All deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers (e.g., WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications). Authenticated users can inject underscore variants of `X-Forwarded-* headers that bypass the proxy's filtering logic, potentially escalating privileges in the upstream app. OAuth2 Proxy` authentication/authorization itself is not compromised.”
Affected Packages / Versions
- Package:
oauth2-proxy(Go) - Latest published version at triage time:
Prior to 7.13.0 - Affected range:
Per GHSA-vjrc-mh2v-45x6: oauth2-proxy < 7.13.0 - Patched version:
OAuth2-Proxy 7.13.0
Impact
Per GHSA: scope-changing — the proxy is not bypassed but the protected backend can be tricked into accepting attacker-controlled identity headers. Per GHSA: “This change mitigates a request header smuggling vulnerability where an attacker could bypass header stripping by using different capitaliz[ations]” (continues — see source).
Severity Rationale
GHSA severity: HIGH. NVD CVSS 8.5 (High): network AV, low complexity, low privileges, no UI, scope-changing, with high confidentiality and low integrity.
Fix
Per GHSA: upgrade OAuth2-Proxy to 7.13.0 or later.
Disclosure timeline
- TBDReported to vendor
- TBDPatch released (OAuth2-Proxy 7.13.0)
- Nov 12, 2025GHSA-vjrc-mh2v-45x6 published
Fix Commit(s)
References
Discovered by Siddhant Kalgutkar · Published April 29, 2026