CVE-2025-27371: JWT Audience Ambiguity in OAuth 2.0
Platform
other
Component
asvs
Fixed in
7523.0.1
CVE-2025-27371 highlights ambiguities within the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication, specifically concerning audience values. This vulnerability allows for potential authorization bypass, where a malicious actor could potentially gain access to resources they are not authorized to access. The vulnerability impacts implementations of RFC 7523 and related specifications like RFC 7521, RFC 7522, RFC 9101, and RFC 9126. Affected versions include 7523-7523, and a fix is available in version 7523.0.1.
Impact and Attack Scenarios
The core impact of CVE-2025-27371 stems from the ambiguity in how audience values are handled within JWTs used for OAuth 2.0 client authentication. An attacker could craft a JWT with a manipulated or ambiguous audience claim, potentially tricking the authorization server into believing the request is legitimate. This could lead to unauthorized access to protected resources, data breaches, and potentially even complete account takeover depending on the sensitivity of the resources being accessed. The potential blast radius is significant, as OAuth 2.0 is widely used for authentication and authorization across numerous applications and services. While no direct precedent is immediately apparent, the potential for authorization bypass shares similarities with vulnerabilities that exploit improper JWT validation.
Exploitation Context
CVE-2025-27371 was published on March 3, 2025. Severity is currently pending further evaluation. No public Proof-of-Concept (PoC) code has been publicly released at the time of writing. There are no indications of active exploitation campaigns targeting this vulnerability. Refer to the IETF security announcements and relevant RFC updates for further information.
Threat Intelligence
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- Required — victim must take an action: open a file, click a link, or visit a crafted page.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- Low — partial or indirect data access. Attacker gains limited information.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-27371 is to upgrade to version 7523.0.1 or later, which addresses the ambiguity in audience value handling. If upgrading is not immediately feasible, consider implementing stricter audience validation on the authorization server side. This involves explicitly defining and verifying the expected audience values for each client application. Web Application Firewalls (WAFs) can be configured to inspect JWTs and block requests with suspicious or invalid audience claims. Monitor logs for unusual JWT activity, particularly requests with unexpected audience values. After upgrading, confirm proper JWT validation by testing client authentication with valid and invalid audience claims.
How to fix
Este CVE describe una ambigüedad en los valores de audiencia de los JWT enviados a los servidores de autorización. Consulte las especificaciones RFC 7523, RFC 7521, RFC 7522, RFC 9101 (JAR) y RFC 9126 (PAR) para comprender el impacto específico. Implemente validaciones más estrictas de la audiencia en su implementación de OAuth 2.0 para mitigar el riesgo.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-27371 — JWT Audience Ambiguity in OAuth 2.0?
CVE-2025-27371 describes an ambiguity in the audience values of JWTs used in OAuth 2.0 client authentication, potentially leading to authorization bypass. It affects implementations of RFC 7523 and related specifications, with a CVSS score of 6.9 (MEDIUM).
Am I affected by CVE-2025-27371 in OAuth 2.0?
If you are using OAuth 2.0 with JWT client authentication and are running versions 7523-7523 of the affected RFCs, you are potentially vulnerable. Review your implementation and upgrade to a patched version.
How do I fix CVE-2025-27371 in OAuth 2.0?
The recommended fix is to upgrade to version 7523.0.1 or later. As an interim measure, implement stricter audience validation on your authorization server.
Is CVE-2025-27371 being actively exploited?
As of the current date, there are no indications of active exploitation campaigns targeting CVE-2025-27371. However, it's crucial to apply the fix proactively.
Where can I find the official OAuth 2.0 advisory for CVE-2025-27371?
Refer to the IETF security announcements and relevant RFC updates for the official advisory and further details: https://datatracker.ietf.org/doc/rfc/rfc7523.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.