Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Critical authentication bypass vulnerability in OAuth2- Proxy can lead to attackers gaining unauthorised access to protected resources. Patch Immediately!
Image
Published : 31/07/2025
* Last update: 31/07/2025
* Affected software:: OAuth2-Proxy prior to version v7.11.0
* Type: Authentication bypass
* CVE/CVSS
→ CVE-2025-54576: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
Sources
https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7rh7-c77v-6434
Risks
On 30 July 2025, OAuth2-Proxy published a security release to fix CVE-2025-54576. This vulnerability
affects OAuth2-proxy deployments using the skip_auth_routes configuration option with regex patterns.
OAuth2-Proxy is an open-source tool that can be used as a reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups.
Successfully exploiting CVE-2025-54576 allows attackers to bypass authentication and gain
unauthorised access to protected resources. Exploitation of this vulnerability can have a high impact on
confidentiality and integrity, and no impact on availability.
There is no report of active exploitation (cut-off date: 31 July 2025).
Description
CVE-2025-54576 is a flaw affecting OAuth2-proxy deployments using the skip_auth_routes configuration
option with regex patterns. There is a flaw in skip_auth_routes that causes it to match the complete
request URI (path + query parameters) instead of just the path, as documented. This discrepancy
enables authentication bypass attacks where attackers append malicious query parameters to access
protected endpoints.
Note that deployments using skip_auth_routes with regex patterns containing wildcards or broad
matching patterns are most at risk, especially when backend services ignore unknown query parameters.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
OAuth2-Proxy also recommends implementing the following immediate mitigations to secure your
configuration:
- Review regex patterns: Audit all skip_auth_routes configurations for overly permissive patterns
- Use precise patterns: Replace wildcard patterns with exact path matches where possible
- Anchor patterns: Ensure regex patterns are properly anchored (start with ^ and end with $)
- Path-only matching: Consider implementing custom validation that strips query parameters
before regex matching.
Please find the Configuration documentation at <https://oauth2-proxy.github.io/oauth2-
proxy/configuration/overview/#proxy-options>
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via:https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview/#proxy-options