Medium severity6.9NVD Advisory· Published Mar 3, 2025· Updated Apr 15, 2026

CVE-2025-27370

Description

OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the private_key_jwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issuer identifiers of other Authorization Servers. The malicious Authorization Server could then use these private key JWTs to impersonate the Client.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

eprint.iacr.org/2025/629nvd
github.com/OWASP/ASVS/issues/2678nvd
openid.net/notice-of-a-security-vulnerability/nvd
openid.net/wp-content/uploads/2025/01/OIDF-Responsible-Disclosure-Notice-on-Security-Vulnerability-for-private_key_jwt.pdfnvd
talks.secworkshop.events/osw2025/talk/R8D9BS/nvd

News mentions

No linked articles in our index yet.

cvss	0.449
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000