1.8.1
1.8.0
CVE-2025-53003 is an information disclosure vulnerability affecting the io.jans:jans-config-api-server component. This vulnerability allows attackers to expose sensitive internal data, including client configurations, user information, and scripts, due to the configAPI being inadvertently exposed. This impacts users of Janssen versions prior to 1.8.0 and Gluu Flex versions prior to 5.8.0, and a patch is available.
The primary impact of CVE-2025-53003 is the exposure of sensitive internal data. The jans-config-api-server is intended as an internal service and should not be accessible from the internet. However, misconfiguration or deployment errors can lead to its exposure, granting attackers access to a wide range of critical information. This includes client credentials, user accounts, authentication scripts, and other configuration details vital to the IDP’s operation. Successful exploitation could lead to unauthorized access, data breaches, and potential compromise of the entire identity provider infrastructure. The blast radius is significant, potentially impacting all services relying on the IDP.
CVE-2025-53003 was publicly disclosed on 2025-06-30. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept code is not currently available, but the ease of exploitation due to the misconfiguration nature of the vulnerability suggests it could be quickly developed. The vulnerability’s impact, combined with the potential for widespread misconfiguration, makes it a high-priority remediation target.
Organizations utilizing Janssen or Gluu Flex for identity management are at risk, particularly those with deployments where the jans-config-api-server is inadvertently exposed to external networks. Shared hosting environments or deployments with relaxed network security policies are especially vulnerable.
• linux / server:
journalctl -u jans-config-api-server | grep -i "exposed to internet"• generic web:
curl -I <jans-config-api-server-ip> | grep Server• generic web:
curl -I <jans-config-api-server-ip> | grep -i "X-Powered-By"disclosure
漏洞利用状态
EPSS
0.11% (29% 百分位)
CISA SSVC
The primary mitigation for CVE-2025-53003 is to immediately upgrade to Janssen version 1.8.0 or Gluu Flex version 5.8.0 or later. Prior to upgrading, assess the potential impact on dependent services and plan a rollback strategy if necessary. Ensure proper network segmentation to restrict access to the jans-config-api-server to only authorized internal clients. Implement strict firewall rules to prevent external access. Regularly review and audit configurations to ensure the service is not inadvertently exposed. After upgrading, confirm the vulnerability is resolved by attempting to access the configAPI from an external network and verifying access is denied.
Actualice Janssen Project a la versión 1.8.0 o superior. Como alternativa, puede aplicar el parche del commit 92eea4d construyendo la Config API desde el código fuente.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-53003 is a HIGH severity vulnerability that allows attackers to expose sensitive internal data within the Janssen Config API Server due to misconfiguration, impacting versions prior to 1.8.0.
Yes, if you are using Janssen versions earlier than 1.8.0 or Gluu Flex versions earlier than 5.8.0, you are potentially affected by this information disclosure vulnerability.
Upgrade to Janssen version 1.8.0 or Gluu Flex version 5.8.0 or later to remediate the vulnerability. Ensure proper network segmentation to prevent external access.
There is currently no public evidence of active exploitation, but the ease of exploitation makes it a potential target.
Refer to the Janssen project's GitHub releases page for details and the updated version: https://github.com/JanssenProject/jans/releases/tag/v1.8.0
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 pom.xml 文件,立即知道是否受影响。