GHSA-j7px-6hwj-hpjg
HIGHOpen Redirect in OAuth2 Proxy
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
github.com/oauth2-proxy/oauth2-proxyReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Impact
As users can provide a redirect address for the proxy to send the authenticated user to at the end of the authentication flow. This is expected to be the original URL that the user was trying to access. This redirect URL is checked within the proxy and validated before redirecting the user to prevent malicious actors providing redirects to potentially harmful sites.
However, by crafting a redirect URL with HTML encoded whitespace characters (eg. %0a, %0b,%09,%0d) the validation could be bypassed and allow a redirect to any URL provided.
Patches
@rootxharsh and @iamnoooob provided this patch as potential solution:
From 4b941f56eda310b5c4dc8080b7635a6bfabccad4 Mon Sep 17 00:00:00 2001
From: Harsh Jaiswal <[email protected]>
Date: Fri, 1 May 2020 20:38:31 +0530
Subject: [PATCH] Fixes redirect issue
---
oauthproxy.go | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/oauthproxy.go b/oauthproxy.go
index 1e9bb7c..f8beb4d 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -577,8 +577,9 @@ func validOptionalPort(port string) bool {
// IsValidRedirect checks whether the redirect URL is whitelisted
func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
+ matched, _ := regexp.MatchString(`^/\s+/|\\`, redirect)
switch {
- case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//") && !strings.HasPrefix(redirect, "/\\"):
+ case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//") && !matched:
return true
case strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://"):
redirectURL, err := url.Parse(redirect)
--
2.17.1
This issue was also reported to us separately by @mik317 several hours later
The fix was implemented in #xxx and released as version 5.1.1
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/oauth2-proxy/oauth2-proxy | all versions | 5.1.1 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/oauth2-proxy/oauth2-proxy. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/oauth2-proxy/oauth2-proxy to 5.1.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-j7px-6hwj-hpjg is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-j7px-6hwj-hpjg is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-j7px-6hwj-hpjg. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-j7px-6hwj-hpjg in your dependencies?
O3 detects GHSA-j7px-6hwj-hpjg across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.