CVE-2025-27370
📋 TL;DR
This OpenID Connect vulnerability allows malicious Authorization Servers to inject attacker-controlled values into the audience claim when private_key_jwt authentication is used. This enables impersonation attacks where attackers can use forged JWTs to masquerade as legitimate clients. Affected systems include any implementation using OpenID Connect Core 1.0 through errata set 2 with private_key_jwt client authentication.
💻 Affected Systems
- OpenID Connect Core implementations
- OAuth 2.0 implementations using private_key_jwt
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete client impersonation allowing unauthorized access to protected resources, potential data exfiltration, and privilege escalation across federated identity systems.
Likely Case
Targeted attacks against specific clients to gain unauthorized access to their resources or perform actions on their behalf in federated identity environments.
If Mitigated
Limited impact with proper audience validation and strict token verification, though some risk remains in complex multi-tenant environments.
🎯 Exploit Status
Exploitation requires the attacker to control a malicious Authorization Server and trick a vulnerable client into interacting with it. The attack is documented in academic papers and security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenID Connect Core 1.0 errata set 3 or later
Vendor Advisory: https://openid.net/notice-of-a-security-vulnerability/
Restart Required: No
Instructions:
1. Update to OpenID Connect Core 1.0 errata set 3 or later. 2. Ensure your implementation properly validates audience claims. 3. Review and update client authentication configurations.
🔧 Temporary Workarounds
Disable private_key_jwt authentication
allTemporarily disable private_key_jwt client authentication method until patched
Configure client authentication to use methods other than private_key_jwt
Strict audience validation
allImplement strict audience claim validation rejecting unexpected values
Configure audience validation to only accept known, trusted values
🧯 If You Can't Patch
- Implement strict audience claim validation at all token verification points
- Monitor for unusual authentication patterns and token usage from unexpected Authorization Servers
🔍 How to Verify
Check if Vulnerable:
Check if your OpenID Connect implementation uses private_key_jwt authentication and is based on OpenID Connect Core 1.0 errata set 2 or earlierCheck Version:
Check your OpenID Connect library or framework documentation for version informationVerify Fix Applied:
Verify implementation uses OpenID Connect Core 1.0 errata set 3 or later and properly validates audience claims📡 Detection & Monitoring
Log Indicators:
- Unexpected audience values in JWT tokens
- Authentication attempts from unexpected Authorization Servers
- Failed audience validation events
Network Indicators:
- Unusual token requests to unexpected endpoints
- Authentication traffic to unknown Authorization Servers
SIEM Query:
jwt.audience NOT IN ["expected_value1", "expected_value2"] OR auth_server NOT IN ["trusted_server1", "trusted_server2"]🔗 References
- https://eprint.iacr.org/2025/629
- https://github.com/OWASP/ASVS/issues/2678
- https://openid.net/notice-of-a-security-vulnerability/
- https://openid.net/wp-content/uploads/2025/01/OIDF-Responsible-Disclosure-Notice-on-Security-Vulnerability-for-private_key_jwt.pdf
- https://talks.secworkshop.events/osw2025/talk/R8D9BS/
