CVE-2025-64484

CVE-2025-64484 is a high-severity security vulnerability in github.com/oauth2-proxy/oauth2-proxy/v7 (go), affecting versions < 7.13.0. It is fixed in 7.13.0.

Summary

Workarounds

Ensure filtering and processing logic in upstream services don't treat underscores and hyphens in Headers the same way.

Impact

All deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers (e.g., WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications).

Authenticated users can inject underscore variants of X-Forwarded-* headers that bypass the proxy’s filtering logic, potentially escalating privileges in the upstream app. OAuth2 Proxy authentication/authorization itself is not compromised.

CVE-2025-64484 has a CVSS score of 8.5 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (7.13.0); upgrading removes the vulnerable code path.

Affected versions

github.com/oauth2-proxy/oauth2-proxy/v7 (< 7.13.0)

Security releases

github.com/oauth2-proxy/oauth2-proxy/v7 → 7.13.0 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

This change mitigates a request header smuggling vulnerability where an attacker could bypass header stripping by using different capitalization or replacing dashes with underscores. The problem has been patched with v7.13.0.

By default all specified headers will now be normalized, meaning that both capitalization and the use of underscores (_) versus dashes (-) will be ignored when matching headers to be stripped. For example, both X-Forwarded-For and X_Forwarded-for will now be treated as equivalent and stripped away.

However, if users have a rationale for keeping a similar-looking header and don't want to strip it, a new configuration field for headers managed through AlphaConfig called InsecureSkipHeaderNormalization has been introduced :

// Header represents an individual header that will be added to a request or
// response header.
type Header struct {
	// Name is the header name to be used for this set of values.
	// Names should be unique within a list of Headers.
	Name string `json:"name,omitempty"`

	// PreserveRequestValue determines whether any values for this header
	// should be preserved for the request to the upstream server.
	// This option only applies to injected request headers.
	// Defaults to false (headers that match this header will be stripped).
	PreserveRequestValue bool `json:"preserveRequestValue,omitempty"`

	// InsecureSkipHeaderNormalization disables normalizing the header name
	// According to RFC 7230 Section 3.2 there aren't any rules about
	// capitalization of header names, but the standard practice is to use
	// Title-Case (e.g. X-Forwarded-For). By default, header names will be
	// normalized to Title-Case and any incoming headers that match will be
	// treated as the same header. Additionally underscores (_) in header names
	// will be converted to dashes (-) when normalizing.
	// Defaults to false (header names will be normalized).
	InsecureSkipHeaderNormalization bool `json:"InsecureSkipHeaderNormalization,omitempty"`

	// Values contains the desired values for this header
	Values []HeaderValue `json:"values,omitempty"`
}

Frequently Asked Questions

  1. What is CVE-2025-64484? CVE-2025-64484 is a high-severity security vulnerability in github.com/oauth2-proxy/oauth2-proxy/v7 (go), affecting versions < 7.13.0. It is fixed in 7.13.0.
  2. How severe is CVE-2025-64484? CVE-2025-64484 has a CVSS score of 8.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/oauth2-proxy/oauth2-proxy/v7 are affected by CVE-2025-64484? github.com/oauth2-proxy/oauth2-proxy/v7 (go) versions < 7.13.0 is affected.
  4. Is there a fix for CVE-2025-64484? Yes. CVE-2025-64484 is fixed in 7.13.0. Upgrade to this version or later.
  5. Is CVE-2025-64484 exploitable, and should I be worried? Whether CVE-2025-64484 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-64484 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-64484? Upgrade github.com/oauth2-proxy/oauth2-proxy/v7 to 7.13.0 or later.

Other vulnerabilities in github.com/oauth2-proxy/oauth2-proxy/v7

CVE-2026-41059CVE-2026-40574CVE-2026-40575CVE-2026-34457CVE-2026-34454

Stop the waste.
Protect your environment with Kodem.