CVE-2025-53003: Janssen Config API returns results without scope verification
(updated )
What kind of vulnerability is it? Who is impacted? The configAPI is an internal service and hence should never be exposed to the internet. With that said, this is a serious vulnerability that has a large internal surface attack area that exposes all sorts of information from the IDP including clients, users, scripts ..etc.
This affects all users of Janssen <1.8.0 and Gluu Flex <5.8.0
References
- github.com/GluuFederation/flex/releases/tag/v5.8.0
- github.com/JanssenProject/jans
- github.com/JanssenProject/jans/commit/92eea4d4637f1cae16ad2f07b2c16378ff3fc5f1
- github.com/JanssenProject/jans/issues/11575
- github.com/JanssenProject/jans/releases/tag/v1.8.0
- github.com/JanssenProject/jans/security/advisories/GHSA-373j-mhpf-84wg
- github.com/advisories/GHSA-373j-mhpf-84wg
- nvd.nist.gov/vuln/detail/CVE-2025-53003
Code Behaviors & Features
Detect and mitigate CVE-2025-53003 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →