OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication…

OAuth2 Proxy versions 7.5.0 through 7.15.1 contain a configuration-dependent authentication bypass vulnerability. Affected deployments use skip_auth_routes or skip_auth_regex with broad wildcard patterns that can be exploited by attackers using fragment delimiters (#) or URL-encoded forms (%23) in request paths. Unauthenticated attackers can bypass authentication controls to access protected resources. The vulnerability requires specific configuration conditions to be exploitable. Fixed in version 7.15.2 with improved path normalization. Deployments using exact path matching or not using skip-auth options are not affected.