CVE-2025-64099
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-12

Last updated on: 2025-11-12

Assigner: GitHub, Inc.

Description
Open Access Management (OpenAM) is an access management solution. In versions prior to 16.0.0, if the "claims_parameter_supported" parameter is activated, it is possible, thanks to the "oidc-claims-extension.groovy" script, to inject the value of one's choice into a claim contained in the id_token or in the user_info. In the request of an authorize function, a claims parameter containing a JSON file can be injected. This JSON file allows attackers to customize the claims returned by the "id_token" and "user_info" files. This allows for a very wide range of vulnerabilities depending on how clients use claims. For example, if some clients rely on an email field to identify a user, an attacker can choose the email address they want, and therefore assume any identity they choose. Version 16.0.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-12
Last Modified
2025-11-12
Generated
2026-05-07
AI Q&A
2025-11-13
EPSS Evaluated
2026-05-05
NVD
CVE-2025-64099
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
forgerock openam 16.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Open Access Management (OpenAM) versions prior to 16.0.0 when the "claims_parameter_supported" parameter is enabled. It allows an attacker to inject a JSON file via the claims parameter in an authorize request, which customizes the claims returned in the id_token and user_info. This means an attacker can manipulate claims such as the email field to impersonate any user identity they choose.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Open Access Management (OpenAM) to version 16.0.0 or later, as this version fixes the vulnerability related to the claims_parameter_supported parameter and the oidc-claims-extension.groovy script.


How can this vulnerability impact me? :

The vulnerability can lead to identity impersonation because an attacker can inject arbitrary claim values, such as email addresses, into tokens used for authentication. This can allow unauthorized access to systems or data by assuming the identity of legitimate users.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart