Medium severity6.9NVD Advisory· Published Mar 3, 2025· Updated Apr 15, 2026
CVE-2025-27370
CVE-2025-27370
Description
OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the private_key_jwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issuer identifiers of other Authorization Servers. The malicious Authorization Server could then use these private key JWTs to impersonate the Client.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.0 errata set 2
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.