CVE-2025-27370

MEDIUM

OpenID Connect Core <1.0 - Command Injection

Title source: llm

Description

OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the private_key_jwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issuer identifiers of other Authorization Servers. The malicious Authorization Server could then use these private key JWTs to impersonate the Client.

References (5)

Core 5

Core References

Various Sources

https://eprint.iacr.org/2025/629

Various Sources

https://openid.net/notice-of-a-security-vulnerability/

Various Sources

https://openid.net/wp-content/uploads/2025/01/OIDF-Responsible-Disclosure-Notice-on-Security-Vulnerability-for-private_key_jwt.pdf

Various Sources

https://talks.secworkshop.events/osw2025/talk/R8D9BS/

Issue Tracking

https://github.com/OWASP/ASVS/issues/2678

Scores

CVSS v3 6.9

EPSS 0.0032

EPSS Percentile 23.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-305

Status published

Products (1)

OpenID/OpenID Connect < 1.0 errata set 2

Published Mar 03, 2025

Tracked Since Feb 18, 2026