GHSA-qqxw-m5fj-f7gv
MEDIUMThe pattern '/\domain.com' is not disallowed when redirecting, allowing for open redirect
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
github.com/oauth2-proxy/oauth2-proxyReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Impact
An open redirect vulnerability has been found in oauth2_proxy. Anyone who uses oauth2_proxy may potentially be impacted.
For a context [detectify] have an in depth blog post about the potential impact of an open redirect. Particularly see the OAuth section.
tl;dr: People's authentication tokens could be silently harvested by an attacker. e.g:
facebook.com/oauth.php?clientid=123&state=abc&redirect_url=https://yourdomain.com/red.php?url%3dhttps://attacker.com/
Patches
@sauyon found the issue, and has submitted a patch.
diff --git a/oauthproxy.go b/oauthproxy.go
index 72ab580..f420df6 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -517,7 +517,7 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error)
// IsValidRedirect checks whether the redirect URL is whitelisted
func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
switch {
- case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"):
+ case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//") && !strings.HasPrefix(redirect, "/\\"):
return true
case strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://"):
redirectURL, err := url.Parse(redirect)
This patch will be applied to the next release, which is scheduled for when this is publicly disclosed.
Workarounds
At this stage there is no work around.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/oauth2-proxy/oauth2-proxy | all versions | 5.0.0 |
Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/oauth2-proxy/oauth2-proxy. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/oauth2-proxy/oauth2-proxy to 5.0.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-qqxw-m5fj-f7gv is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-qqxw-m5fj-f7gv is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-qqxw-m5fj-f7gv. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-qqxw-m5fj-f7gv in your dependencies?
O3 detects GHSA-qqxw-m5fj-f7gv across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.