CVE-2025-64484 in OAuth2-Proxy
Summary
by MITRE • 11/11/2025
OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions prior to 7.13.0, all deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers (e.g., WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications). Authenticated users can inject underscore variants of X-Forwarded-* headers that bypass the proxy’s filtering logic, potentially escalating privileges in the upstream app. OAuth2 Proxy authentication/authorization itself is not compromised. The problem has been patched with v7.13.0. By default all specified headers will now be normalized, meaning that both capitalization and the use of underscores (_) versus dashes (-) will be ignored when matching headers to be stripped. For example, both `X-Forwarded-For` and `X_Forwarded-for` will now be treated as equivalent and stripped away. For those who have a rational that requires keeping a similar looking header and not stripping it, the maintainers introduced a new configuration field for Headers managed through the AlphaConfig called `InsecureSkipHeaderNormalization`. As a workaround, ensure filtering and processing logic in upstream services don't treat underscores and hyphens in Headers the same way.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/11/2025
CVE-2025-64484 represents a critical header normalization vulnerability within the OAuth2-Proxy authentication system that affects versions prior to 7.13.0. This vulnerability stems from the proxy's failure to consistently normalize HTTP header variations during filtering operations, creating a potential privilege escalation vector for authenticated users. The flaw specifically impacts deployments where upstream applications normalize underscores to dashes in HTTP headers, a common practice in WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications. The vulnerability manifests when authenticated users can inject underscore variants of X-Forwarded-* headers that bypass the proxy's filtering logic, allowing malicious actors to manipulate header values that should be stripped or processed securely.
The technical implementation of this vulnerability leverages the inconsistent handling of header normalization between the OAuth2-Proxy and upstream applications. When the proxy processes headers, it fails to normalize both capitalization and the use of underscores versus dashes during header matching operations. This creates a mismatch where headers like X-Forwarded-For are treated differently from X_Forwarded-For, allowing attackers to inject header variations that pass through the proxy's filtering mechanisms. The vulnerability is classified under CWE-284 Access Control, specifically addressing improper access control due to header normalization inconsistencies that enable privilege escalation through header manipulation.
The operational impact of this vulnerability extends beyond simple header bypassing, as it can potentially allow authenticated users to escalate privileges within upstream applications that rely on X-Forwarded-* headers for trust decisions. When upstream services normalize underscores to dashes, they may interpret the injected underscore-based headers differently than the proxy, creating a mismatch that could be exploited to manipulate trusted header values such as X-Forwarded-For, X-Forwarded-Proto, or X-Forwarded-Host. This inconsistency in header processing creates an attack surface where malicious users can manipulate routing decisions, trust boundaries, or authentication contexts within the upstream application.
Security practitioners should consider this vulnerability in relation to the ATT&CK framework's privilege escalation techniques, specifically leveraging the T1068 Valid Accounts and T1566 Phishing tactics to gain unauthorized access to sensitive resources. The patch introduced in version 7.13.0 addresses this by implementing consistent header normalization across all specified headers, treating both capitalization and underscore/dash variations as equivalent during matching operations. The maintainers introduced the AlphaConfig parameter InsecureSkipHeaderNormalization to accommodate legitimate use cases where header preservation is required, though this introduces additional security considerations that must be carefully evaluated.
Organizations should implement comprehensive mitigation strategies that include immediate deployment of OAuth2-Proxy version 7.13.0 or later, along with validation of upstream application header processing logic to ensure consistent handling of header variations. The recommended approach involves thorough testing of header normalization behaviors across all deployed applications and configuration of the new InsecureSkipHeaderNormalization parameter only when absolutely necessary for legitimate business requirements. Additionally, security teams should monitor for any custom header processing logic in upstream applications that may create similar inconsistencies, as the vulnerability extends beyond the proxy itself to encompass the entire header processing chain between client and application backend.