CVE-2025-64099: OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed
(updated )
If the “claims_parameter_supported” parameter is activated, it is possible through the “oidc-claims-extension.groovy” script, to inject the value of choice into a claim contained in the id_token or in the user_info. Authorization function requests do not prevent a claims parameter containing a JSON file to be injected. This JSON file allows users to customize claims returned by the “id_token” and “user_info” files. This allows for a very wide range of vulnerabilities depending on how clients use claims. For example, if some clients rely on an email field to identify a user, users can choose to entera any email address, and therefore assume any chosen identity.
References
- github.com/OpenIdentityPlatform/OpenAM
- github.com/OpenIdentityPlatform/OpenAM/commit/4254b34b2b8b4867f2e7fccfac73904213d48510
- github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.0.3
- github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-39hr-239p-fhqc
- github.com/advisories/GHSA-39hr-239p-fhqc
- nvd.nist.gov/vuln/detail/CVE-2025-64099
Code Behaviors & Features
Detect and mitigate CVE-2025-64099 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →