High severityNVD Advisory· Published Jul 1, 2025· Updated Apr 15, 2026
CVE-2025-53003
CVE-2025-53003
Description
The Janssen Project is an open-source identity and access management (IAM) platform. Prior to version 1.8.0, the Config API returns results without scope verification. This has a large internal surface attack area that exposes all sorts of information from the IDP including clients, users, scripts ..etc. This issue has been patched in version 1.8.0. A workaround for this vulnerability involves users forking and building the config api, patching it in their system following commit 92eea4d.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jans:jans-config-api-serverMaven | < 1.8.0 | 1.8.0 |
Patches
292eea4d4637f4f1e6f9de13cVulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-373j-mhpf-84wgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53003ghsaADVISORY
- github.com/GluuFederation/flex/releases/tag/v5.8.0ghsaWEB
- github.com/JanssenProject/jans/commit/92eea4d4637f1cae16ad2f07b2c16378ff3fc5f1nvdWEB
- github.com/JanssenProject/jans/issues/11575nvdWEB
- github.com/JanssenProject/jans/releases/tag/v1.8.0nvdWEB
- github.com/JanssenProject/jans/security/advisories/GHSA-373j-mhpf-84wgnvdWEB
News mentions
0No linked articles in our index yet.