CVE-2025-27370

OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the private_key_jwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issuer identifiers of other Authorization Servers. The malicious Authorization Server could then use these private key JWTs to impersonate the Client.

CVSS v3 6.9 MEDIUM

6.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://eprint.iacr.org/2025/629
https://github.com/OWASP/ASVS/issues/2678
https://openid.net/notice-of-a-security-vulnerability/
https://openid.net/wp-content/uploads/2025/01/OIDF-Responsible-Disclosure-Notice-on-Security-Vulnerability-for-private_key_jwt.pdf
https://talks.secworkshop.events/osw2025/talk/R8D9BS/

Configurations

No configuration.

History

No history.

Information

Published : 2025-03-03 18:15

Updated : 2025-04-25 15:15

NVD link : CVE-2025-27370

Mitre link : CVE-2025-27370

CVE.ORG link : CVE-2025-27370

JSON object : View

Products Affected

No product.

CWE

CWE-305

Authentication Bypass by Primary Weakness

{"id": "CVE-2025-27370", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 1.6}]}, "published": "2025-03-03T18:15:40.650", "references": [{"url": "https://eprint.iacr.org/2025/629", "source": "[email protected]"}, {"url": "https://github.com/OWASP/ASVS/issues/2678", "source": "[email protected]"}, {"url": "https://openid.net/notice-of-a-security-vulnerability/", "source": "[email protected]"}, {"url": "https://openid.net/wp-content/uploads/2025/01/OIDF-Responsible-Disclosure-Notice-on-Security-Vulnerability-for-private_key_jwt.pdf", "source": "[email protected]"}, {"url": "https://talks.secworkshop.events/osw2025/talk/R8D9BS/", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-305"}]}], "descriptions": [{"lang": "en", "value": "OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the private_key_jwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issuer identifiers of other Authorization Servers. The malicious Authorization Server could then use these private key JWTs to impersonate the Client."}, {"lang": "es", "value": "OpenID Connect Core a trav\u00e9s del conjunto de erratas 1.0 2 permite la inyecci\u00f3n de audiencia en determinadas situaciones. Cuando se utiliza el mecanismo de autenticaci\u00f3n private_key_jwt, un servidor de autorizaci\u00f3n malintencionado podr\u00eda enga\u00f1ar a un cliente para que escriba valores controlados por el atacante en la audiencia, incluidos endpoints de token o identificadores de emisor de otros servidores de autorizaci\u00f3n. El servidor de autorizaci\u00f3n malintencionado podr\u00eda entonces utilizar estos JWT de clave privada para hacerse pasar por el cliente."}], "lastModified": "2025-04-25T15:15:35.820", "sourceIdentifier": "[email protected]"}