Platform
other
Component
asvs
Fixed in
7523.0.1
CVE-2025-27371 highlights ambiguities within the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication, specifically concerning audience values. This vulnerability allows for potential authorization bypass, where a malicious actor could potentially gain access to resources they are not authorized to access. The vulnerability impacts implementations of RFC 7523 and related specifications like RFC 7521, RFC 7522, RFC 9101, and RFC 9126. Affected versions include 7523-7523, and a fix is available in version 7523.0.1.
The core impact of CVE-2025-27371 stems from the ambiguity in how audience values are handled within JWTs used for OAuth 2.0 client authentication. An attacker could craft a JWT with a manipulated or ambiguous audience claim, potentially tricking the authorization server into believing the request is legitimate. This could lead to unauthorized access to protected resources, data breaches, and potentially even complete account takeover depending on the sensitivity of the resources being accessed. The potential blast radius is significant, as OAuth 2.0 is widely used for authentication and authorization across numerous applications and services. While no direct precedent is immediately apparent, the potential for authorization bypass shares similarities with vulnerabilities that exploit improper JWT validation.
CVE-2025-27371 was published on March 3, 2025. Severity is currently pending further evaluation. No public Proof-of-Concept (PoC) code has been publicly released at the time of writing. There are no indications of active exploitation campaigns targeting this vulnerability. Refer to the IETF security announcements and relevant RFC updates for further information.
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-27371 is to upgrade to version 7523.0.1 or later, which addresses the ambiguity in audience value handling. If upgrading is not immediately feasible, consider implementing stricter audience validation on the authorization server side. This involves explicitly defining and verifying the expected audience values for each client application. Web Application Firewalls (WAFs) can be configured to inspect JWTs and block requests with suspicious or invalid audience claims. Monitor logs for unusual JWT activity, particularly requests with unexpected audience values. After upgrading, confirm proper JWT validation by testing client authentication with valid and invalid audience claims.
Este CVE describe una ambigüedad en los valores de audiencia de los JWT enviados a los servidores de autorización. Consulte las especificaciones RFC 7523, RFC 7521, RFC 7522, RFC 9101 (JAR) y RFC 9126 (PAR) para comprender el impacto específico. Implemente validaciones más estrictas de la audiencia en su implementación de OAuth 2.0 para mitigar el riesgo.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-27371 describes an ambiguity in the audience values of JWTs used in OAuth 2.0 client authentication, potentially leading to authorization bypass. It affects implementations of RFC 7523 and related specifications, with a CVSS score of 6.9 (MEDIUM).
If you are using OAuth 2.0 with JWT client authentication and are running versions 7523-7523 of the affected RFCs, you are potentially vulnerable. Review your implementation and upgrade to a patched version.
The recommended fix is to upgrade to version 7523.0.1 or later. As an interim measure, implement stricter audience validation on your authorization server.
As of the current date, there are no indications of active exploitation campaigns targeting CVE-2025-27371. However, it's crucial to apply the fix proactively.
Refer to the IETF security announcements and relevant RFC updates for the official advisory and further details: https://datatracker.ietf.org/doc/rfc/rfc7523.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.