Bug 2413911 (CVE-2025-64484)
| Summary: | CVE-2025-64484 oauth2-proxy: OAuth2-Proxy vulnerable to header smuggling via underscore, leading to potential privilege escalation | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | amctagga, aoconnor, bniver, flucifre, gmeno, groman, mbenjamin, mhackett, sostapov, vereddy |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A header-smuggling vulnerability was found in OAuth2-Proxy’s handling of HTTP headers containing underscores (_) (such as X_Forwarded_For). The proxy failed to properly normalize these header names, which could allow crafted requests to bypass header validation or filtering. When OAuth2-Proxy is deployed in front of applications (e.g., WSGI frameworks like Django, Flask, FastAPI, or PHP apps) that treat underscores and hyphens differently in header names, an authenticated attacker could exploit this to inject or manipulate upstream headers, potentially gaining unauthorized access to protected endpoints or sensitive information. The vulnerability affects deployments where header trust boundaries are not strictly enforced between the proxy and the backend application.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2414537 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-11-10 22:02:13 UTC
|