CVE-2025-64099
Description
Open Access Management (OpenAM) is an access management solution. In versions prior to 16.0.0, if the "claims_parameter_supported" parameter is activated, it is possible, thanks to the "oidc-claims-extension.groovy" script, to inject the value of one's choice into a claim contained in the id_token or in the user_info. In the request of an authorize function, a claims parameter containing a JSON file can be injected. This JSON file allows attackers to customize the claims returned by the "id_token" and "user_info" files. This allows for a very wide range of vulnerabilities depending on how clients use claims. For example, if some clients rely on an email field to identify a user, an attacker can choose the email address they want, and therefore assume any identity they choose. Version 16.0.0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.openidentityplatform.openam:openam-oauth2Maven | < 16.0.3 | 16.0.3 |
Affected products
1Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-39hr-239p-fhqcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64099ghsaADVISORY
- github.com/OpenIdentityPlatform/OpenAM/commit/4254b34b2b8b4867f2e7fccfac73904213d48510ghsaWEB
- github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.0.3ghsaWEB
- github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-39hr-239p-fhqcnvdWEB
News mentions
0No linked articles in our index yet.