Privilege Escalation Vulnerability in OAuth2-Proxy Affecting Multiple Applications
CVE-2025-64484

8.5HIGH

Key Information:

Vendor

Oauth2-proxy

Status
Oauth2-proxy
Vendor
CVE Published:
10 November 2025

What is CVE-2025-64484?

OAuth2-Proxy, an open-source tool serving as a reverse proxy or middleware, has a vulnerability in versions prior to 7.13.0 that allows authenticated users to inject underscore variants of X-Forwarded-* headers. This can potentially bypass the proxy's filtering logic, leading to privilege escalation in upstream applications that normalize underscores to dashes. Although the authentication and authorization mechanisms of OAuth2 Proxy remain intact, the injected headers can exploit misconfigurations in hosted applications like Django, Flask, FastAPI, among others. The vulnerability has been addressed in version 7.13.0, which now normalizes specified headers, ensuring that variations in capitalization and the use of underscores versus dashes are treated equivalently. For specific use cases that require retaining certain headers, an additional configuration, InsecureSkipHeaderNormalization, has been introduced. It's recommended to fortify your upstream services’ filtering logic to handle such header variants securely.

Affected Version(s)

oauth2-proxy < 7.13.0

References

https://github.com/oauth2-proxy/oauth2-proxy/security/adv...
x_refsource_CONFIRM
https://datatracker.ietf.org/doc/html/rfc2616#section-4.2
x_refsource_MISC
https://datatracker.ietf.org/doc/html/rfc822#section-3.2
x_refsource_MISC

CVSS V3.1

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64484 : Privilege Escalation Vulnerability in OAuth2-Proxy Affecting Multiple Applications