Vulnerability DatabaseCVE-2025-64484

CVE-2025-64484:
MinimOS vulnerability analysis and mitigation

Overview

A header-smuggling vulnerability (CVE-2025-64484) was discovered in OAuth2-Proxy's handling of HTTP headers containing underscores (_). The vulnerability affects versions up to and including 7.12.0 and was patched in version 7.13.0. The issue allows authenticated users to bypass header filtering logic by using underscore variants of X-Forwarded-* headers, potentially leading to privilege escalation in upstream applications (GitHub Advisory).

Technical details

The vulnerability stems from HTTP header normalization behavior where headers containing underscores are treated equivalently to their hyphenated variants. For example, both X-Forwarded-For and X_Forwarded_for would be normalized to the same header. This normalization occurs due to legacy CGI specifications where HTTP headers are converted to environment variables. The vulnerability specifically affects deployments where OAuth2-Proxy is placed in front of applications that normalize underscores to dashes in HTTP headers, such as WSGI-based frameworks (Django, Flask, FastAPI) and PHP applications (Telekom Security).

Impact

The vulnerability allows authenticated users to bypass header filtering mechanisms by injecting underscore variants of headers that would normally be stripped. This can lead to privilege escalation in upstream applications that rely on these headers for security decisions. While OAuth2-Proxy's own authentication and authorization mechanisms remain uncompromised, the header smuggling can affect security controls in the protected applications (GitHub Advisory).

Mitigation and workarounds

The issue has been patched in OAuth2-Proxy version 7.13.0, which introduces header normalization by default. The patch ensures that both capitalization and underscore/dash usage are normalized when matching headers to be stripped. For cases requiring preservation of similar headers, a new configuration field 'InsecureSkipHeaderNormalization' has been introduced. Additionally, organizations should ensure their upstream services don't treat underscores and hyphens in headers equivalently (GitHub Advisory).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

8.5

Score

Published November 10, 2025

Severity HIGH

CNA Score 8.5

Affected Technologies

MinimOS

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 9.5

Exploitation Probability (EPSS) N/A

Affected packages and libraries

github.com/oauth2-proxy/oauth2-proxy/v7
github.com/oauth2-proxy/oauth2-proxy

Sources

NVD
GitHub Advisory Database
- GoLang Severity HIGHHas FixAdded at: Nov 13, 2025
Minimus
- MinimOS Severity HIGHHas FixAdded at: Nov 14, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related MinimOS vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-21441	HIGH	8.9	Python	barman	No	Yes	Jan 07, 2026
CVE-2025-69262	HIGH	7.5	JavaScript	pnpm	No	Yes	Jan 07, 2026
CVE-2025-69263	HIGH	7.5	JavaScript	pnpm	No	Yes	Jan 07, 2026
CVE-2025-68158	MEDIUM	5.7	Python	airflow-3	No	Yes	Jan 08, 2026
CVE-2025-61594	LOW	2.7	Ruby	rubygem-bigdecimal-debuginfo	No	Yes	Dec 30, 2025