Platform
java
Component
io.jans:jans-config-api-server
Fixed in
1.8.1
1.8.0
CVE-2025-53003 is an information disclosure vulnerability affecting the io.jans:jans-config-api-server component. This vulnerability allows attackers to expose sensitive internal data, including client configurations, user information, and scripts, due to the configAPI being inadvertently exposed. This impacts users of Janssen versions prior to 1.8.0 and Gluu Flex versions prior to 5.8.0, and a patch is available.
The primary impact of CVE-2025-53003 is the exposure of sensitive internal data. The jans-config-api-server is intended as an internal service and should not be accessible from the internet. However, misconfiguration or deployment errors can lead to its exposure, granting attackers access to a wide range of critical information. This includes client credentials, user accounts, authentication scripts, and other configuration details vital to the IDP’s operation. Successful exploitation could lead to unauthorized access, data breaches, and potential compromise of the entire identity provider infrastructure. The blast radius is significant, potentially impacting all services relying on the IDP.
CVE-2025-53003 was publicly disclosed on 2025-06-30. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept code is not currently available, but the ease of exploitation due to the misconfiguration nature of the vulnerability suggests it could be quickly developed. The vulnerability’s impact, combined with the potential for widespread misconfiguration, makes it a high-priority remediation target.
Exploit Status
EPSS
0.11% (29% percentile)
CISA SSVC
The primary mitigation for CVE-2025-53003 is to immediately upgrade to Janssen version 1.8.0 or Gluu Flex version 5.8.0 or later. Prior to upgrading, assess the potential impact on dependent services and plan a rollback strategy if necessary. Ensure proper network segmentation to restrict access to the jans-config-api-server to only authorized internal clients. Implement strict firewall rules to prevent external access. Regularly review and audit configurations to ensure the service is not inadvertently exposed. After upgrading, confirm the vulnerability is resolved by attempting to access the configAPI from an external network and verifying access is denied.
Actualice Janssen Project a la versión 1.8.0 o superior. Como alternativa, puede aplicar el parche del commit 92eea4d construyendo la Config API desde el código fuente.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-53003 is a HIGH severity vulnerability that allows attackers to expose sensitive internal data within the Janssen Config API Server due to misconfiguration, impacting versions prior to 1.8.0.
Yes, if you are using Janssen versions earlier than 1.8.0 or Gluu Flex versions earlier than 5.8.0, you are potentially affected by this information disclosure vulnerability.
Upgrade to Janssen version 1.8.0 or Gluu Flex version 5.8.0 or later to remediate the vulnerability. Ensure proper network segmentation to prevent external access.
There is currently no public evidence of active exploitation, but the ease of exploitation makes it a potential target.
Refer to the Janssen project's GitHub releases page for details and the updated version: https://github.com/JanssenProject/jans/releases/tag/v1.8.0
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.