CVE-2025-64484: OAuth2-Proxy is vulnerable to header smuggling via underscore leading to potential privilege escalation
(updated )
All deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers (e.g., WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications).
Authenticated users can inject underscore variants of X-Forwarded-* headers that bypass the proxy’s filtering logic, potentially escalating privileges in the upstream app. OAuth2 Proxy authentication/authorization itself is not compromised.
References
- datatracker.ietf.org/doc/html/rfc2616
- datatracker.ietf.org/doc/html/rfc822
- github.com/advisories/GHSA-vjrc-mh2v-45x6
- github.com/oauth2-proxy/oauth2-proxy
- github.com/oauth2-proxy/oauth2-proxy/commit/f3f30fa976fb4bb97d6345ba4735cb6d86e24f95
- github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.13.0
- github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-vjrc-mh2v-45x6
- github.security.telekom.com/2020/05/smuggling-http-headers-through-reverse-proxies.html
- nvd.nist.gov/vuln/detail/CVE-2025-64484
- www.uptimia.com/questions/why-are-http-headers-with-underscores-dropped-by-nginx
Code Behaviors & Features
Detect and mitigate CVE-2025-64484 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →