GHSA-5hvv-m4w4-gf6v

Impact

A configuration-dependent authentication bypass exists in OAuth2 Proxy.

Deployments are affected when all of the following are true:

• OAuth2 Proxy is used with an auth_request-style integration (for example, nginx auth_request)
• --ping-user-agent is set or --gcp-healthchecks is enabled

In affected configurations, OAuth2 Proxy will treat a request with the configured health check User-Agent value as a successful health check regardless of the requested path. This allows an unauthenticated remote attacker to bypass authentication and access protected upstream resources without completing the normal login flow.

This issue does not affect deployments that do not use auth_request-style subrequests, or that do not enable --ping-user-agent/--gcp-healthchecks.

Patches

Users should upgrade to v7.15.2 or later once available. Deployments running versions prior to v7.15.2 should be considered affected if they use auth_request-style authentication together with --ping-user-agent or --gcp-healthchecks.

Workarounds

Users can mitigate this issue by:

• disabling --gcp-healthchecks
• removing any configured --ping-user-agent
• ensuring the reverse proxy does not forward client-controlled User-Agent headers to the OAuth2 Proxy auth subrequest
• using path-based health checks only, on dedicated health check endpoints

Example nginx mitigation for the auth subrequest:

location = /oauth2/auth {
    internal;
    proxy_pass http://127.0.0.1:4180;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header Host $host;
    # set to value that isn't the same as your configured PingUserAgent or GCPs "GoogleHC/1.0"
    proxy_set_header User-Agent "oauth2-proxy-auth-request";
}