VYPR
Get started
← All advisories
High severity8.5OSV Advisory· Published Nov 10, 2025· Updated Apr 15, 2026

CVE-2025-64484

CVE-2025-64484

Description

OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions prior to 7.13.0, all deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers (e.g., WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications). Authenticated users can inject underscore variants of X-Forwarded-* headers that bypass the proxy’s filtering logic, potentially escalating privileges in the upstream app. OAuth2 Proxy authentication/authorization itself is not compromised. The problem has been patched with v7.13.0. By default all specified headers will now be normalized, meaning that both capitalization and the use of underscores (_) versus dashes (-) will be ignored when matching headers to be stripped. For example, both X-Forwarded-For and X_Forwarded-for will now be treated as equivalent and stripped away. For those who have a rational that requires keeping a similar looking header and not stripping it, the maintainers introduced a new configuration field for Headers managed through the AlphaConfig called InsecureSkipHeaderNormalization. As a workaround, ensure filtering and processing logic in upstream services don't treat underscores and hyphens in Headers the same way.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/oauth2-proxy/oauth2-proxy/v7Go
< 7.13.07.13.0

Affected products

1

Patches

1
f3f30fa976fb

Merge commit from fork

https://github.com/oauth2-proxy/oauth2-proxyJan LarwigNov 8, 2025via ghsa
commit
4 files changed · +40 1
  • docs/docs/configuration/alpha_config.md+1 0 modified
    @@ -266,6 +266,7 @@ response header.
 | ----- | ---- | ----------- |
 | `name` | _string_ | Name is the header name to be used for this set of values.<br/>Names should be unique within a list of Headers. |
 | `preserveRequestValue` | _bool_ | PreserveRequestValue determines whether any values for this header<br/>should be preserved for the request to the upstream server.<br/>This option only applies to injected request headers.<br/>Defaults to false (headers that match this header will be stripped). |
+| `InsecureSkipHeaderNormalization` | _bool_ | InsecureSkipHeaderNormalization disables normalizing the header name<br/>According to RFC 7230 Section 3.2 there aren't any rules about<br/>capitalization of header names, but the standard practice is to use<br/>Title-Case (e.g. X-Forwarded-For). By default, header names will be<br/>normalized to Title-Case and any incoming headers that match will be<br/>treated as the same header. Additionally underscores (_) in header names<br/>will be converted to dashes (-) when normalizing.<br/>Defaults to false (header names will be normalized). |
 | `values` | _[[]HeaderValue](#headervalue)_ | Values contains the desired values for this header |
 
 ### HeaderValue
  • pkg/apis/options/header.go+10 0 modified
    @@ -13,6 +13,16 @@ type Header struct {
 	// Defaults to false (headers that match this header will be stripped).
 	PreserveRequestValue bool `json:"preserveRequestValue,omitempty"`
 
+	// InsecureSkipHeaderNormalization disables normalizing the header name
+	// According to RFC 7230 Section 3.2 there aren't any rules about
+	// capitalization of header names, but the standard practice is to use
+	// Title-Case (e.g. X-Forwarded-For). By default, header names will be
+	// normalized to Title-Case and any incoming headers that match will be
+	// treated as the same header. Additionally underscores (_) in header names
+	// will be converted to dashes (-) when normalizing.
+	// Defaults to false (header names will be normalized).
+	InsecureSkipHeaderNormalization bool `json:"InsecureSkipHeaderNormalization,omitempty"`
+
 	// Values contains the desired values for this header
 	Values []HeaderValue `json:"values,omitempty"`
 }
  • pkg/middleware/headers.go+5 0 modified
    @@ -53,6 +53,11 @@ func flattenHeaders(headers http.Header) {
 func stripHeaders(headers []options.Header, next http.Handler) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		for _, header := range headers {
+			if header.InsecureSkipHeaderNormalization {
+				req.Header.Del(header.Name)
+				continue
+			}
+
 			stripNormalizedHeader(req, header)
 		}
 		next.ServeHTTP(rw, req)
  • pkg/middleware/headers_test.go+24 1 modified
    @@ -205,7 +205,7 @@ var _ = Describe("Headers Suite", func() {
 			expectedHeaders: nil,
 			expectedErr:     "error building request header injector: error building request injector: error building injector for header \"X-Auth-Request-Authorization\": error loading basicAuthPassword: secret source is invalid: exactly one entry required, specify either value, fromEnv or fromFile",
 		}),
-		Entry("strips normalized variants before injecting (no preservation)", headersTableInput{
+		Entry("strips normalized variants before injecting", headersTableInput{
 			headers: []options.Header{
 				{
 					Name: "X-Auth-Request-User",
@@ -226,6 +226,29 @@ var _ = Describe("Headers Suite", func() {
 			},
 			expectedErr: "",
 		}),
+		Entry("doesn't strip normalized variants before injecting", headersTableInput{
+			headers: []options.Header{
+				{
+					Name:                            "X-Auth-Request-User",
+					InsecureSkipHeaderNormalization: true,
+					Values: []options.HeaderValue{
+						{
+							ClaimSource: &options.ClaimSource{Claim: "user"},
+						},
+					},
+				},
+			},
+			initialHeaders: http.Header{
+				"X-Auth-Request-User": []string{"old"},
+				"X-Auth_Request_User": []string{"evil"},
+			},
+			session: &sessionsapi.SessionState{User: "user-123"},
+			expectedHeaders: http.Header{
+				"X-Auth-Request-User": []string{"user-123"},
+				"X-Auth_Request_User": []string{"evil"},
+			},
+			expectedErr: "",
+		}),
 	)
 
 	DescribeTable("the response header injector",

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.