Incorrect signature verification on Google-oauth-java-client
Description
IDTokenVerifier in google-oauth-java-client before 1.33.3 skips signature validation, letting attackers pass forged tokens.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IDTokenVerifier in google-oauth-java-client before 1.33.3 skips signature validation, letting attackers pass forged tokens.
Vulnerability
The IdTokenVerifier class in google-oauth-java-client versions >=1.16.0-rc and <1.33.3 does not verify the cryptographic signature of ID tokens before validating claims such as iss and aud [3]. This means the library accepts tokens from untrusted sources as long as the payload structure is valid, without confirming the token was issued by a legitimate provider [2].
Exploitation
An attacker can craft a token with a modified payload (e.g., altering the email or phone_number claim) and provide a malformed or absent signature [3]. No special network position is required beyond delivering the token to the application. The victim's client-side code calling IdTokenVerifier.verify() will accept the token because signature checking is never performed [2].
Impact
A successful attack grants the attacker the ability to impersonate any user identity by injecting arbitrary claims into the ID token. The application will treat the forged token as valid, potentially leading to unauthorized access, privilege escalation, or data leakage [2]. If the token is forwarded to a backend service that performs its own signature validation, the risk is partially mitigated there, but client-side trust is still compromised [3].
Mitigation
The vulnerability is fixed in google-oauth-java-client version 1.33.3, released on 2022-05-03 [1][4]. Users should upgrade to 1.33.3 or later. No workaround is available; applications must use the patched library [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.google.oauth-client:google-oauth-clientMaven | >= 1.16.0-rc, < 1.33.3 | 1.33.3 |
Affected products
3- ghsa-coords2 versionspkg:maven/com.google.oauth-client/google-oauth-clientpkg:rpm/opensuse/google-oauth-java-client&distro=openSUSE%20Leap%2015.5
>= 1.16.0-rc, < 1.33.3+ 1 more
- (no CPE)range: >= 1.16.0-rc, < 1.33.3
- (no CPE)range: < 1.22.0-150200.3.7.1
- Google LLC/Google-oauth-java-clientv5Range: unspecified
Patches
1c634ad4e31cachore(main): release 1.33.3 (#872)
12 files changed · +23 −16
CHANGELOG.md+7 −0 modified@@ -1,5 +1,12 @@ # Changelog +### [1.33.3](https://github.com/googleapis/google-oauth-java-client/compare/v1.33.2...v1.33.3) (2022-04-13) + + +### Bug Fixes + +* add signature verification to IdTokenVerifier ([#861](https://github.com/googleapis/google-oauth-java-client/issues/861)) ([22419d6](https://github.com/googleapis/google-oauth-java-client/commit/22419d60579ef4c1a8a256a90e6ca7bc58f09aa1)) + ### [1.33.2](https://github.com/googleapis/google-oauth-java-client/compare/v1.33.1...v1.33.2) (2022-04-07)
google-oauth-client-appengine/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>com.google.oauth-client</groupId> <artifactId>google-oauth-client-parent</artifactId> - <version>1.33.3-SNAPSHOT</version><!-- {x-version-update:google-oauth-client:current} --> + <version>1.33.3</version><!-- {x-version-update:google-oauth-client:current} --> <relativePath>../pom.xml</relativePath> </parent> <artifactId>google-oauth-client-appengine</artifactId>
google-oauth-client-assembly/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>com.google.oauth-client</groupId> <artifactId>google-oauth-client-parent</artifactId> - <version>1.33.3-SNAPSHOT</version><!-- {x-version-update:google-oauth-client:current} --> + <version>1.33.3</version><!-- {x-version-update:google-oauth-client:current} --> <relativePath>../pom.xml</relativePath> </parent> <groupId>com.google.oauth-client</groupId>
google-oauth-client-bom/pom.xml+6 −6 modified@@ -3,7 +3,7 @@ <modelVersion>4.0.0</modelVersion> <groupId>com.google.oauth-client</groupId> <artifactId>google-oauth-client-bom</artifactId> - <version>1.33.3-SNAPSHOT</version><!-- {x-version-update:google-oauth-client:current} --> + <version>1.33.3</version><!-- {x-version-update:google-oauth-client:current} --> <packaging>pom</packaging> <name>Google OAuth Client Library for Java BOM</name> @@ -63,27 +63,27 @@ <dependency> <groupId>com.google.oauth-client</groupId> <artifactId>google-oauth-client</artifactId> - <version>1.33.3-SNAPSHOT</version><!-- {x-version-update:google-oauth-client:current} --> + <version>1.33.3</version><!-- {x-version-update:google-oauth-client:current} --> </dependency> <dependency> <groupId>com.google.oauth-client</groupId> <artifactId>google-oauth-client-appengine</artifactId> - <version>1.33.3-SNAPSHOT</version><!-- {x-version-update:google-oauth-client:current} --> + <version>1.33.3</version><!-- {x-version-update:google-oauth-client:current} --> </dependency> <dependency> <groupId>com.google.oauth-client</groupId> <artifactId>google-oauth-client-java6</artifactId> - <version>1.33.3-SNAPSHOT</version><!-- {x-version-update:google-oauth-client:current} --> + <version>1.33.3</version><!-- {x-version-update:google-oauth-client:current} --> </dependency> <dependency> <groupId>com.google.oauth-client</groupId> <artifactId>google-oauth-client-jetty</artifactId> - <version>1.33.3-SNAPSHOT</version><!-- {x-version-update:google-oauth-client:current} --> + <version>1.33.3</version><!-- {x-version-update:google-oauth-client:current} --> </dependency> <dependency> <groupId>com.google.oauth-client</groupId> <artifactId>google-oauth-client-servlet</artifactId> - <version>1.33.3-SNAPSHOT</version><!-- {x-version-update:google-oauth-client:current} --> + <version>1.33.3</version><!-- {x-version-update:google-oauth-client:current} --> </dependency> </dependencies> </dependencyManagement>
google-oauth-client-java6/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>com.google.oauth-client</groupId> <artifactId>google-oauth-client-parent</artifactId> - <version>1.33.3-SNAPSHOT</version><!-- {x-version-update:google-oauth-client:current} --> + <version>1.33.3</version><!-- {x-version-update:google-oauth-client:current} --> <relativePath>../pom.xml</relativePath> </parent> <artifactId>google-oauth-client-java6</artifactId>
google-oauth-client-jetty/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>com.google.oauth-client</groupId> <artifactId>google-oauth-client-parent</artifactId> - <version>1.33.3-SNAPSHOT</version><!-- {x-version-update:google-oauth-client:current} --> + <version>1.33.3</version><!-- {x-version-update:google-oauth-client:current} --> <relativePath>../pom.xml</relativePath> </parent> <artifactId>google-oauth-client-jetty</artifactId>
google-oauth-client/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>com.google.oauth-client</groupId> <artifactId>google-oauth-client-parent</artifactId> - <version>1.33.3-SNAPSHOT</version><!-- {x-version-update:google-oauth-client:current} --> + <version>1.33.3</version><!-- {x-version-update:google-oauth-client:current} --> <relativePath>../pom.xml</relativePath> </parent> <artifactId>google-oauth-client</artifactId>
google-oauth-client-servlet/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>com.google.oauth-client</groupId> <artifactId>google-oauth-client-parent</artifactId> - <version>1.33.3-SNAPSHOT</version><!-- {x-version-update:google-oauth-client:current} --> + <version>1.33.3</version><!-- {x-version-update:google-oauth-client:current} --> <relativePath>../pom.xml</relativePath> </parent> <artifactId>google-oauth-client-servlet</artifactId>
pom.xml+1 −1 modified@@ -5,7 +5,7 @@ <groupId>com.google.oauth-client</groupId> <artifactId>google-oauth-client-parent</artifactId> - <version>1.33.3-SNAPSHOT</version><!-- {x-version-update:google-oauth-client:current} --> + <version>1.33.3</version><!-- {x-version-update:google-oauth-client:current} --> <packaging>pom</packaging> <name>Parent for the Google OAuth Client Library for Java</name> <description>Google OAuth Client Library for Java</description>
samples/dailymotion-cmdline-sample/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>com.google.oauth-client</groupId> <artifactId>google-oauth-client-parent</artifactId> - <version>1.33.3-SNAPSHOT</version><!-- {x-version-update:google-oauth-client:current} --> + <version>1.33.3</version><!-- {x-version-update:google-oauth-client:current} --> <relativePath>../../pom.xml</relativePath> </parent> <artifactId>dailymotion-simple-cmdline-sample</artifactId>
samples/keycloak-pkce-cmdline-sample/pom.xml+1 −1 modified@@ -4,7 +4,7 @@ <parent> <groupId>com.google.oauth-client</groupId> <artifactId>google-oauth-client-parent</artifactId> - <version>1.33.3-SNAPSHOT</version><!-- {x-version-update:google-oauth-client:current} --> + <version>1.33.3</version><!-- {x-version-update:google-oauth-client:current} --> <relativePath>../../pom.xml</relativePath> </parent> <artifactId>keycloak-pkce-cmdline-sample</artifactId>
versions.txt+1 −1 modified@@ -1,4 +1,4 @@ # Format: # module:released-version:current-version -google-oauth-client:1.33.2:1.33.3-SNAPSHOT +google-oauth-client:1.33.3:1.33.3
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-hw42-3568-wj87ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-22573ghsaADVISORY
- github.com/googleapis/google-oauth-java-client/commit/c634ad4e31cac322bb1aa8a9feb0569749011bf0ghsaWEB
- github.com/googleapis/google-oauth-java-client/pull/872ghsax_refsource_MISCWEB
- github.com/googleapis/google-oauth-java-client/security/advisories/GHSA-hw42-3568-wj87ghsaWEB
News mentions
0No linked articles in our index yet.