CVE-2025-64484

Name of the Vulnerable Software and Affected Versions OAuth2-Proxy versions prior to 7.13.0

Description OAuth2-Proxy is susceptible to a header smuggling issue. In deployments positioned before applications that normalize underscores to dashes in HTTP headers (like WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications), authenticated users can inject underscore variants of X-Forwarded-* headers. This bypasses the proxy’s filtering logic, potentially leading to privilege escalation in the upstream application. The OAuth2 Proxy authentication/authorization process itself remains secure. Approximately 8.2k live targets are potentially affected. The issue arises because the proxy fails to normalize header names containing underscores ( ) versus hyphens (-). This allows attackers to inject headers with underscore variants (e.g., X Forwarded For) that bypass filtering, as the upstream application normalizes underscores to dashes. The API Endpoints are not directly vulnerable, but the injected headers can impact how requests are processed by the upstream application. The vulnerable parameters are the X-Forwarded-* headers, specifically X Forwarded For, X Forwarded Proto, X Forwarded Host, and others.

Recommendations Upgrade to OAuth2-Proxy version 7.13.0 or later.