CVE-2021-21291

Name: CVE-2021-21291
Creator: NVD / NIST
Published: 2021-02-02T19:15:14.33+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.1/10EPSS 1.35%

Last modified Jun 17, 2026

CVE-2021-21291 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. OAuth2 Proxy is an open-source reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. In OAuth2 Proxy before version 7.0.0, for users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect. EPSS estimates a 1.35% chance of exploitation in the next 30 days.

Description

OAuth2 Proxy is an open-source reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. In OAuth2 Proxy before version 7.0.0, for users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect. For example, if a whitelist domain was configured for ".example.com", the intention is that subdomains of example.com are allowed. Instead, "example.com" and "badexample.com" could also match. This is fixed in version 7.0.0 onwards. As a workaround, one can disable the whitelist domain feature and run separate OAuth2 Proxy instances for each subdomain.

Metrics

CVSS 3.1

6.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Probability

1.35%

68.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-601

Affected Software

Vendor	Product	Versions
Oauth2 Proxy Project	Oauth2 Proxy	< 7.0.0

References

https://github.com/oauth2-proxy/oauth2-proxy/commit/780ae4f3c99b579cb2ea9845121caebb6192f725Patch, Third Party Advisory
https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.0.0Release Notes, Third Party Advisory
https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-4mf2-f3wh-gvf2Exploit, Third Party Advisory
https://pkg.go.dev/github.com/oauth2-proxy/oauth2-proxy/v7Product, Third Party Advisory
https://github.com/oauth2-proxy/oauth2-proxy/commit/780ae4f3c99b579cb2ea9845121caebb6192f725Patch, Third Party Advisory
https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.0.0Release Notes, Third Party Advisory
https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-4mf2-f3wh-gvf2Exploit, Third Party Advisory
https://pkg.go.dev/github.com/oauth2-proxy/oauth2-proxy/v7Product, Third Party Advisory

Timeline

Published: Feb 2, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-21291?

How severe is CVE-2021-21291?

CVE-2021-21291 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 1.35% probability of exploitation in the next 30 days.

How do I fix CVE-2021-21291?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-21291?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST