CVE-2025-46647
BaseFortify
Publication date: 2025-07-02
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | apisix | to 3.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-302 | The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the openid-connect plugin of Apache APISIX when used in introspection mode. It occurs if the authentication service supports multiple issuers that share the same private key and rely solely on the issuer identifier to differentiate users. An attacker with a valid account on one issuer can exploit this to log into another issuer, bypassing proper authentication boundaries.
How can this vulnerability impact me? :
If you are using the openid-connect plugin with introspection mode and your authentication service supports multiple issuers sharing the same private key, this vulnerability could allow an attacker with access to one issuer to gain unauthorized access to accounts on other issuers. This could lead to unauthorized access to sensitive data or services across different issuers.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Apache APISIX to version 3.12.0 or higher, as this version contains the fix for the vulnerability in the openid-connect plugin.