Platform
other
Component
asvs
Fixed in
1.0.1
CVE-2025-27370 describes an audience injection vulnerability within OpenID Connect Core, specifically when utilizing the privatekeyjwt authentication mechanism. A malicious Authorization Server can exploit this flaw to manipulate the audience parameter, potentially allowing them to impersonate Clients and gain unauthorized access. This vulnerability impacts versions 0 through 1.0 errata set 2 and is addressed in version 1.0.1.
The primary impact of CVE-2025-27370 lies in the potential for identity theft and unauthorized access. An attacker controlling a malicious Authorization Server can craft private key JWTs containing attacker-controlled audience values. These values could include token endpoints or issuer identifiers of other Authorization Servers, effectively allowing the attacker to impersonate the Client. This could lead to the attacker gaining access to sensitive data or performing actions on behalf of the Client, potentially escalating to broader system compromise if the Client has elevated privileges. The blast radius extends to any systems relying on the vulnerable OpenID Connect Core implementation for authentication.
CVE-2025-27370 was published on March 3, 2025. Severity is currently assessed as medium. Public proof-of-concept (POC) code is not yet widely available, but the vulnerability's nature suggests it could be relatively easy to exploit once a POC is released. The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of active exploitation at this time. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.12% (30% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-27370 is to upgrade to OpenID Connect Core version 1.0.1 or later, which addresses the vulnerability. If upgrading is not immediately feasible, consider implementing stricter validation of the audience claim within the Client application. This validation should ensure that the audience matches the expected values and prevent the acceptance of JWTs with unexpected or attacker-controlled audience values. Web Application Firewalls (WAFs) configured to inspect JWTs and validate audience claims can provide an additional layer of defense. Carefully review and audit the configuration of your Authorization Servers and Clients to identify and eliminate any potential vulnerabilities.
Actualice a una versión de la biblioteca OpenID Connect Core que haya abordado esta vulnerabilidad. Consulte las notas de la versión o el registro de cambios de la biblioteca para obtener información sobre la versión corregida. Implemente validaciones adicionales en el lado del cliente para verificar la validez de la audiencia en los tokens JWT recibidos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-27370 is a medium severity vulnerability in OpenID Connect Core (versions 0–1.0 errata set 2) that allows an attacker to inject malicious values into the audience claim of JWTs, potentially enabling impersonation.
If you are using OpenID Connect Core versions 0 through 1.0 errata set 2 and utilize the privatekeyjwt authentication mechanism, you are potentially affected by this vulnerability.
Upgrade to OpenID Connect Core version 1.0.1 or later to address the vulnerability. As a temporary workaround, implement stricter audience claim validation within your Client application.
Currently, there is no widespread evidence of active exploitation, but the vulnerability's nature suggests it could be exploited once a public proof-of-concept is available.
Refer to the OpenID Foundation website and relevant security mailing lists for official advisories and updates regarding CVE-2025-27370.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.