Open Redirect in OAuth2 Proxy
Description
OAuth2 Proxy before 5.0 has an open redirect vulnerability. Authentication tokens could be silently harvested by an attacker. This has been patched in version 5.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OAuth2 Proxy before 5.0 has an open redirect allowing token theft by exploiting insufficient redirect validation.
Vulnerability
OAuth2 Proxy before version 5.0 contains an open redirect vulnerability due to insufficient validation of redirect URIs. The proxy checks for a leading "/" but fails to block patterns like "/\domain.com", allowing an attacker to redirect users to external domains [3].
Exploitation
An attacker can craft a malicious redirect URL starting with "/\" that passes the proxy's validation. When the browser processes the redirect, it interprets the leading backslash as part of a host-relative path, causing the redirect to point to an attacker-controlled domain. In OAuth flows, this could be used to silently harvest authentication tokens passed as query parameters [1][3].
Impact
Successful exploitation could lead to theft of authentication tokens, enabling an attacker to impersonate victims and gain unauthorized access to protected resources [1][3].
Mitigation
The vulnerability is patched in OAuth2 Proxy version 5.0 [4]. Users should upgrade immediately; no workaround is available [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/oauth2-proxy/oauth2-proxyGo | < 5.0.0 | 5.0.0 |
Affected products
3- osv-coords2 versions
< 5.0.0+ 1 more
- (no CPE)range: < 5.0.0
- (no CPE)range: < 5.0.0
- Range: < 5.0.0
Patches
1a316f8a06f3cMerge pull request from GHSA-qqxw-m5fj-f7gv
2 files changed · +2 −2
CHANGELOG.md+1 −1 modified@@ -17,7 +17,7 @@ - DigitalOcean provider support added ## Important Notes -N/A +- (Security) Fix for open redirect vulnerability.. a bad actor using `/\` in redirect URIs can redirect a session to another domain ## Breaking Changes
oauthproxy.go+1 −1 modified@@ -558,7 +558,7 @@ func validOptionalPort(port string) bool { // IsValidRedirect checks whether the redirect URL is whitelisted func (p *OAuthProxy) IsValidRedirect(redirect string) bool { switch { - case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"): + case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//") && !strings.HasPrefix(redirect, "/\\"): return true case strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://"): redirectURL, err := url.Parse(redirect)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-qqxw-m5fj-f7gvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-5233ghsaADVISORY
- blog.detectify.com/2019/05/16/the-real-impact-of-an-open-redirectghsaWEB
- github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-qqxw-m5fj-f7gvghsaWEB
- github.com/oauth2-proxy/oauth2_proxy/commit/a316f8a06f3c0ca2b5fc5fa18a91781b313607b2ghsaWEB
- github.com/oauth2-proxy/oauth2_proxy/releases/tag/v5.0.0ghsaWEB
- github.com/pusher/oauth2_proxy/commit/a316f8a06f3c0ca2b5fc5fa18a91781b313607b2mitrex_refsource_MISC
- github.com/pusher/oauth2_proxy/releases/tag/v5.0.0mitrex_refsource_MISC
- github.com/pusher/oauth2_proxy/security/advisories/GHSA-qqxw-m5fj-f7gvmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.