Privilege Escalation Vulnerability in OAuth2-Proxy Affecting Multiple Applications

CVE-2025-64484

What is CVE-2025-64484?

CVE-2025-64484 is identified as a privilege escalation vulnerability within OAuth2-Proxy, an open-source tool that facilitates authentication for applications by acting as either a standalone reverse proxy or as middleware with existing proxy or load balancer setups. This tool is commonly used to provide single sign-on capabilities through OAuth2 compliance, allowing applications to authenticate users securely. The vulnerability affects versions prior to 7.13.0, where applications employing normalization of underscores to dashes in HTTP headers are susceptible to exploitation. Authenticated users may manipulate underscore variants of X-Forwarded-* headers, thereby bypassing filtering mechanisms of the proxy and potentially escalating their privileges in the backend applications. Although the authentication and authorization functionalities of OAuth2 Proxy itself remain intact, the improper handling of these headers can lead to unauthorized actions and access to sensitive operations within associated applications.

Potential impact of CVE-2025-64484

1. Unauthorized Access: The ability to bypass proxy filtering allows authenticated users to escalate their privileges in upstream applications. This could lead to unauthorized access to protected resources and sensitive data, compromising application integrity.

2. Data Breaches: Exploiting this vulnerability may facilitate unauthorized data retrieval or manipulation, heightening the risk of data breaches. Once an attacker gains elevated privileges, they may access, extract, or alter application data without detection.

3. Application Integrity Compromise: Vulnerable applications could experience integrity issues as attackers exploit this privilege escalation, leading to service disruptions, unauthorized actions taken within the app, or potential system-wide impacts if administrative functionalities are accessed.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References