{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-64484", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-11-05T19:12:25.102Z", "datePublished": "2025-11-10T21:33:58.018Z", "dateUpdated": "2025-11-14T19:24:55.471Z"}, "containers": {"cna": {"title": "OAuth2-Proxy vulnerable to header smuggling via underscore, leading to potential privilege escalation", "problemTypes": [{"descriptions": [{"cweId": "CWE-644", "lang": "en", "description": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-vjrc-mh2v-45x6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-vjrc-mh2v-45x6"}, {"name": "https://datatracker.ietf.org/doc/html/rfc2616#section-4.2", "tags": ["x_refsource_MISC"], "url": "https://datatracker.ietf.org/doc/html/rfc2616#section-4.2"}, {"name": "https://datatracker.ietf.org/doc/html/rfc822#section-3.2", "tags": ["x_refsource_MISC"], "url": "https://datatracker.ietf.org/doc/html/rfc822#section-3.2"}, {"name": "https://github.security.telekom.com/2020/05/smuggling-http-headers-through-reverse-proxies.html", "tags": ["x_refsource_MISC"], "url": "https://github.security.telekom.com/2020/05/smuggling-http-headers-through-reverse-proxies.html"}, {"name": "https://www.uptimia.com/questions/why-are-http-headers-with-underscores-dropped-by-nginx", "tags": ["x_refsource_MISC"], "url": "https://www.uptimia.com/questions/why-are-http-headers-with-underscores-dropped-by-nginx"}], "affected": [{"vendor": "oauth2-proxy", "product": "oauth2-proxy", "versions": [{"version": "< 7.13.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-10T21:33:58.018Z"}, "descriptions": [{"lang": "en", "value": "OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions prior to 7.13.0, all deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers (e.g., WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications). Authenticated users can inject underscore variants of X-Forwarded-* headers that bypass the proxy\u2019s filtering logic, potentially escalating privileges in the upstream app. OAuth2 Proxy authentication/authorization itself is not compromised. The problem has been patched with v7.13.0. By default all specified headers will now be normalized, meaning that both capitalization and the use of underscores (_) versus dashes (-) will be ignored when matching headers to be stripped. For example, both `X-Forwarded-For` and `X_Forwarded-for` will now be treated as equivalent and stripped away. For those who have a rational that requires keeping a similar looking header and not stripping it, the maintainers introduced a new configuration field for Headers managed through the AlphaConfig called `InsecureSkipHeaderNormalization`. As a workaround, ensure filtering and processing logic in upstream services don't treat underscores and hyphens in Headers the same way."}], "source": {"advisory": "GHSA-vjrc-mh2v-45x6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-14T19:24:50.300456Z", "id": "CVE-2025-64484", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-14T19:24:55.471Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-64484", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-14T19:24:50.300456Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-14T19:24:52.936Z"}}], "cna": {"title": "OAuth2-Proxy vulnerable to header smuggling via underscore, leading to potential privilege escalation", "source": {"advisory": "GHSA-vjrc-mh2v-45x6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "oauth2-proxy", "product": "oauth2-proxy", "versions": [{"status": "affected", "version": "< 7.13.0"}]}], "references": [{"url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-vjrc-mh2v-45x6", "name": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-vjrc-mh2v-45x6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://datatracker.ietf.org/doc/html/rfc2616#section-4.2", "name": "https://datatracker.ietf.org/doc/html/rfc2616#section-4.2", "tags": ["x_refsource_MISC"]}, {"url": "https://datatracker.ietf.org/doc/html/rfc822#section-3.2", "name": "https://datatracker.ietf.org/doc/html/rfc822#section-3.2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.security.telekom.com/2020/05/smuggling-http-headers-through-reverse-proxies.html", "name": "https://github.security.telekom.com/2020/05/smuggling-http-headers-through-reverse-proxies.html", "tags": ["x_refsource_MISC"]}, {"url": "https://www.uptimia.com/questions/why-are-http-headers-with-underscores-dropped-by-nginx", "name": "https://www.uptimia.com/questions/why-are-http-headers-with-underscores-dropped-by-nginx", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions prior to 7.13.0, all deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers (e.g., WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications). Authenticated users can inject underscore variants of X-Forwarded-* headers that bypass the proxy\u2019s filtering logic, potentially escalating privileges in the upstream app. OAuth2 Proxy authentication/authorization itself is not compromised. The problem has been patched with v7.13.0. By default all specified headers will now be normalized, meaning that both capitalization and the use of underscores (_) versus dashes (-) will be ignored when matching headers to be stripped. For example, both `X-Forwarded-For` and `X_Forwarded-for` will now be treated as equivalent and stripped away. For those who have a rational that requires keeping a similar looking header and not stripping it, the maintainers introduced a new configuration field for Headers managed through the AlphaConfig called `InsecureSkipHeaderNormalization`. As a workaround, ensure filtering and processing logic in upstream services don't treat underscores and hyphens in Headers the same way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-644", "description": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-10T21:33:58.018Z"}}}, "cveMetadata": {"cveId": "CVE-2025-64484", "state": "PUBLISHED", "dateUpdated": "2025-11-14T19:24:55.471Z", "dateReserved": "2025-11-05T19:12:25.102Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-11-10T21:33:58.018Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions prior to 7.13.0, all deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers (e.g., WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications). Authenticated users can inject underscore variants of X-Forwarded-* headers that bypass the proxy\u2019s filtering logic, potentially escalating privileges in the upstream app. OAuth2 Proxy authentication/authorization itself is not compromised. The problem has been patched with v7.13.0. By default all specified headers will now be normalized, meaning that both capitalization and the use of underscores (_) versus dashes (-) will be ignored when matching headers to be stripped. For example, both `X-Forwarded-For` and `X_Forwarded-for` will now be treated as equivalent and stripped away. For those who have a rational that requires keeping a similar looking header and not stripping it, the maintainers introduced a new configuration field for Headers managed through the AlphaConfig called `InsecureSkipHeaderNormalization`. As a workaround, ensure filtering and processing logic in upstream services don't treat underscores and hyphens in Headers the same way."}], "id": "CVE-2025-64484", "lastModified": "2025-11-12T16:19:59.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-11-10T22:15:37.490", "references": [{"source": "[email protected]", "url": "https://datatracker.ietf.org/doc/html/rfc2616#section-4.2"}, {"source": "[email protected]", "url": "https://datatracker.ietf.org/doc/html/rfc822#section-3.2"}, {"source": "[email protected]", "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-vjrc-mh2v-45x6"}, {"source": "[email protected]", "url": "https://github.security.telekom.com/2020/05/smuggling-http-headers-through-reverse-proxies.html"}, {"source": "[email protected]", "url": "https://www.uptimia.com/questions/why-are-http-headers-with-underscores-dropped-by-nginx"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-644"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "oauth2-proxy: OAuth2-Proxy vulnerable to header smuggling via underscore, leading to potential privilege escalation", "id": "2413911", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2413911"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-644", "details": ["OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions prior to 7.13.0, all deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers (e.g., WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications). Authenticated users can inject underscore variants of X-Forwarded-* headers that bypass the proxy\u2019s filtering logic, potentially escalating privileges in the upstream app. OAuth2 Proxy authentication/authorization itself is not compromised. The problem has been patched with v7.13.0. By default all specified headers will now be normalized, meaning that both capitalization and the use of underscores (_) versus dashes (-) will be ignored when matching headers to be stripped. For example, both `X-Forwarded-For` and `X_Forwarded-for` will now be treated as equivalent and stripped away. For those who have a rational that requires keeping a similar looking header and not stripping it, the maintainers introduced a new configuration field for Headers managed through the AlphaConfig called `InsecureSkipHeaderNormalization`. As a workaround, ensure filtering and processing logic in upstream services don't treat underscores and hyphens in Headers the same way.", "A header-smuggling vulnerability was found in OAuth2-Proxy\u2019s handling of HTTP headers containing underscores (_) (such as X_Forwarded_For). The proxy failed to properly normalize these header names, which could allow crafted requests to bypass header validation or filtering. When OAuth2-Proxy is deployed in front of applications (e.g., WSGI frameworks like Django, Flask, FastAPI, or PHP apps) that treat underscores and hyphens differently in header names, an authenticated attacker could exploit this to inject or manipulate upstream headers, potentially gaining unauthorized access to protected endpoints or sensitive information. The vulnerability affects deployments where header trust boundaries are not strictly enforced between the proxy and the backend application."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability."}, "name": "CVE-2025-64484", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:8", "fix_state": "Affected", "package_name": "rhceph/oauth2-proxy-rhel9", "product_name": "Red Hat Ceph Storage 8"}], "public_date": "2025-11-10T21:33:58Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-64484\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-64484\nhttps://datatracker.ietf.org/doc/html/rfc2616#section-4.2\nhttps://datatracker.ietf.org/doc/html/rfc822#section-3.2\nhttps://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-vjrc-mh2v-45x6\nhttps://github.security.telekom.com/2020/05/smuggling-http-headers-through-reverse-proxies.html\nhttps://www.uptimia.com/questions/why-are-http-headers-with-underscores-dropped-by-nginx"], "statement": "This flaw has been rated High severity (CVSS 8.5) by Red Hat Product Security.\nS:C (Changed): As the vulnerability within OAuth2-Proxy can affect the behavior of an upstream application that relies on the proxy for identity and access control. The vulnerability causes the proxy to cause a behavior in the backend (internal component) that changes the effective security boundary (the backend treats the injected header as trusted), so scope is changed.\nC:H (High): An attacker can gain access to protected internal endpoints / sensitive application data by bypassing proxy controls.\nI:L (Low): The attacker may be able to influence request routing or authentication headers (some integrity impact), rather than alter application data. Full integrity compromise is unlikely from just header name normalization.\nA:N (None): Availability is not impacted.\n```\nIt is important to note that this vulnerability only applies when OAuth2-Proxy is deployed in front of an application that normalizes or treats underscore header names differently from hyphens, not all deployments are exposed\nThe authentication/authorization logic of OAuth2-Proxy itself is not compromised.\n```", "threat_severity": "Important"}