CVE-2025-64099
published 2025-11-12CVE-2025-64099: Open Access Management (OpenAM) is an access management solution. In versions prior to 16.0.0, if the "claims_parameter_supported" parameter is activated, it…
PriorityP351high8.1CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEUCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.29%
20.5th percentile
Open Access Management (OpenAM) is an access management solution. In versions prior to 16.0.0, if the "claims_parameter_supported" parameter is activated, it is possible, thanks to the "oidc-claims-extension.groovy" script, to inject the value of one's choice into a claim contained in the id_token or in the user_info. In the request of an authorize function, a claims parameter containing a JSON file can be injected. This JSON file allows attackers to customize the claims returned by the "id_token" and "user_info" files. This allows for a very wide range of vulnerabilities depending on how clients use claims. For example, if some clients rely on an email field to identify a user, an attacker can choose the email address they want, and therefore assume any identity they choose. Version 16.0.0 fixes the issue.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openidentityplatform | openam | < 16.0.0 | 16.0.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed
osv·2025-11-12
CVE-2025-64099 [HIGH] OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed
OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed
### Summary
If the "claims_parameter_supported" parameter is activated, it is possible through the "oidc-claims-extension.groovy" script, to inject the value of choice into a claim contained in the id_token or in the user_info.
Authorization function requests do not prevent a claims parameter containing a JSON file to be injected. This JSON file allows users to customize claims returned by the "id_token" and "user_info" files.
This allows for a very wide range of vulnerabilities depending on how clients use claims. For example, if some clients rely on an email field to identify a user, users can choose to entera any email address, and therefore assume any chosen identity.
GHSA
OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed
ghsa·2025-11-12
CVE-2025-64099 [HIGH] CWE-74 OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed
OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed
### Summary
If the "claims_parameter_supported" parameter is activated, it is possible through the "oidc-claims-extension.groovy" script, to inject the value of choice into a claim contained in the id_token or in the user_info.
Authorization function requests do not prevent a claims parameter containing a JSON file to be injected. This JSON file allows users to customize claims returned by the "id_token" and "user_info" files.
This allows for a very wide range of vulnerabilities depending on how clients use claims. For example, if some clients rely on an email field to identify a user, users can choose to entera any email address, and therefore assume any chosen identity.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-12
Published