CVE-2025-64099
📋 TL;DR
This vulnerability in OpenAM allows attackers to inject arbitrary claims into identity tokens when the 'claims_parameter_supported' feature is enabled. Attackers can manipulate email addresses or other claim values to impersonate users, potentially bypassing authentication. Organizations using OpenAM versions before 16.0.0 with claims parameter support enabled are affected.
💻 Affected Systems
- Open Identity Platform OpenAM
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover and identity impersonation across all integrated applications, potentially leading to data breaches, privilege escalation, and unauthorized access to sensitive systems.
Likely Case
Targeted identity impersonation allowing attackers to access applications that rely on specific claim values for user identification, potentially compromising user accounts and sensitive data.
If Mitigated
Limited impact if claims are properly validated by downstream applications or if the vulnerable feature is disabled, though some risk remains from misconfigured clients.
🎯 Exploit Status
Exploitation requires access to make OAuth/OIDC authorization requests and knowledge of the claims parameter feature being enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.0.0
Vendor Advisory: https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-39hr-239p-fhqc
Restart Required: Yes
Instructions:
1. Download OpenAM version 16.0.0 or later from official repository. 2. Backup current configuration and data. 3. Deploy new version following upgrade documentation. 4. Restart OpenAM services. 5. Verify functionality.
🔧 Temporary Workarounds
Disable claims_parameter_supported feature
allDisable the vulnerable feature in OpenAM configuration to prevent exploitation.
Edit OpenAM configuration to set 'claims_parameter_supported' to false or remove from supported parameters list
🧯 If You Can't Patch
- Implement strict claim validation in all client applications that consume OpenAM tokens
- Deploy WAF rules to detect and block malicious claims parameter payloads in OAuth/OIDC requests
🔍 How to Verify
Check if Vulnerable:
Check OpenAM version and verify if 'claims_parameter_supported' parameter is enabled in configuration files or admin console.Check Version:
Check OpenAM admin console or configuration files for version information, or use: java -jar openam-configurator-tool.jar --versionVerify Fix Applied:
Verify OpenAM version is 16.0.0 or later and test that claims parameter injection no longer works by attempting to inject custom claims.📡 Detection & Monitoring
Log Indicators:
- Unusual claims parameter values in OAuth/OIDC authorization requests
- Multiple failed authentication attempts with modified claim values
- Log entries showing claims parameter processing errors
Network Indicators:
- HTTP requests to /oauth2/authorize endpoint with complex JSON in claims parameter
- Unusual patterns in OAuth flow requests
SIEM Query:
source="openam" AND (message="*claims_parameter*" OR message="*oidc-claims-extension*") AND (message="*inject*" OR message="*malicious*" OR message="*error*")