Subdomain checking of whitelisted domains could allow unintended redirects
Description
OAuth2 Proxy is an open-source reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. In OAuth2 Proxy before version 7.0.0, for users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect. For example, if a whitelist domain was configured for ".example.com", the intention is that subdomains of example.com are allowed. Instead, "example.com" and "badexample.com" could also match. This is fixed in version 7.0.0 onwards. As a workaround, one can disable the whitelist domain feature and run separate OAuth2 Proxy instances for each subdomain.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OAuth2 Proxy before 7.0.0 allowed unintended redirect domains due to insufficient whitelist domain suffix matching.
Vulnerability
OAuth2 Proxy is an open-source reverse proxy and static file server that provides authentication using providers such as Google, GitHub, and others [1]. The whitelist domain feature, intended to restrict redirect URIs to specific domains, could be bypassed due to insufficient string matching. When a whitelist domain was configured with a leading dot (e.g., .example.com), the code stripped the dot and only checked if the redirect hostname ended with the domain name [4]. This allowed domains like example.com or badexample.com to be considered valid redirect targets, contrary to the intended behavior of only allowing subdomains of the specified domain [1][4].
Exploitation
An attacker could exploit this flaw by crafting a redirect URI that ends with the whitelisted domain name (e.g., https://badexample.com/) without being a proper subdomain. Since the validation logic only performed a suffix match without requiring a preceding dot, any domain ending in example.com would be accepted [4]. The vulnerability is present in all versions before 7.0.0, and exploitation requires that the OAuth2 Proxy instance has the whitelist domain feature enabled [1][2].
Impact
A successful attack could redirect a user to a malicious domain that appears similar to an allowed destination, potentially leading to credential theft or other phishing attacks. The attacker could intercept OAuth tokens or trick users into revealing sensitive information [1][4].
Mitigation
The vulnerability is fixed in OAuth2 Proxy version 7.0.0, which includes an improved domain matching check that requires the redirect hostname to have a dot before the domain to ensure it is a proper subdomain [2][4]. As a workaround, administrators can disable the whitelist domain feature and run separate OAuth2 Proxy instances for each subdomain [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/oauth2-proxy/oauth2-proxy/v7Go | < 7.0.0 | 7.0.0 |
github.com/oauth2-proxy/oauth2-proxyGo | <= 3.2.0 | — |
Affected products
4- osv-coords3 versionspkg:bitnami/oauth2-proxypkg:golang/github.com/oauth2-proxy/oauth2-proxypkg:golang/github.com/oauth2-proxy/oauth2-proxy/v7
< 7.0.0+ 2 more
- (no CPE)range: < 7.0.0
- (no CPE)range: <= 3.2.0
- (no CPE)range: < 7.0.0
- Range: < 7.0.0
Patches
1780ae4f3c99bMerge pull request from GHSA-4mf2-f3wh-gvf2
2 files changed · +14 −7
oauthproxy.go+9 −7 modified@@ -437,21 +437,23 @@ func (p *OAuthProxy) IsValidRedirect(redirect string) bool { } redirectHostname := redirectURL.Hostname() - for _, domain := range p.whitelistDomains { - domainHostname, domainPort := splitHostPort(strings.TrimLeft(domain, ".")) - if domainHostname == "" { + for _, allowedDomain := range p.whitelistDomains { + allowedHost, allowedPort := splitHostPort(allowedDomain) + if allowedHost == "" { continue } - if (redirectHostname == domainHostname) || (strings.HasPrefix(domain, ".") && strings.HasSuffix(redirectHostname, domainHostname)) { + if redirectHostname == strings.TrimPrefix(allowedHost, ".") || + (strings.HasPrefix(allowedHost, ".") && + strings.HasSuffix(redirectHostname, allowedHost)) { // the domain names match, now validate the ports // if the whitelisted domain's port is '*', allow all ports // if the whitelisted domain contains a specific port, only allow that port // if the whitelisted domain doesn't contain a port at all, only allow empty redirect ports ie http and https redirectPort := redirectURL.Port() - if (domainPort == "*") || - (domainPort == redirectPort) || - (domainPort == "" && redirectPort == "") { + if allowedPort == "*" || + allowedPort == redirectPort || + (allowedPort == "" && redirectPort == "") { return true } }
oauthproxy_test.go+5 −0 modified@@ -298,6 +298,11 @@ func TestIsValidRedirect(t *testing.T) { Redirect: "/\t/\t\\evil.com", ExpectedResult: false, }, + { + Desc: "openRedirectPartialSubdomain", + Redirect: "http://evilbar.foo", + ExpectedResult: false, + }, } for _, tc := range testCases {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-4mf2-f3wh-gvf2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21291ghsaADVISORY
- github.com/oauth2-proxy/oauth2-proxy/commit/780ae4f3c99b579cb2ea9845121caebb6192f725ghsax_refsource_MISCWEB
- github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.0.0ghsax_refsource_MISCWEB
- github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-4mf2-f3wh-gvf2ghsax_refsource_CONFIRMWEB
- pkg.go.dev/github.com/oauth2-proxy/oauth2-proxy/v7ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.