CVE-2025-27370
6.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
Summary
OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the private_key_jwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issuer identifiers of other Authorization Servers. The malicious Authorization Server could then use these private key JWTs to impersonate the Client.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| OpenID | OpenID Connect | 0 <= 1.0 errata set 2 | affected |
Weaknesses
- CWE-305: CWE-305 Authentication Bypass by Primary Weakness
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://openid.net/wp-content/uploads/2025/01/OIDF-Responsible-Disclosure-Notice-on-Security-Vulnerability-for-private_key_jwt.pdf
- https://openid.net/notice-of-a-security-vulnerability/
- https://talks.secworkshop.events/osw2025/talk/R8D9BS/
- https://github.com/OWASP/ASVS/issues/2678
- https://eprint.iacr.org/2025/629
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.