Security Advisory

CVE-2025-27370

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2025-03-03 00:00:00

Last updated 2025-04-25 14:43:40

Assigner mitre

State PUBLISHED

Description

OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the private_key_jwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issuer identifiers of other Authorization Servers. The malicious Authorization Server could then use these private key JWTs to impersonate the Client.

← Browse all CVEs View on cve.org ↗