CVE-2025-64099 – OpenAM allows use of arbitrary OIDC requested claims values in id_token and user_info

CVE ID : CVE-2025-64099

Published : Nov. 12, 2025, 7:15 p.m. | 17 minutes ago

Description : Open Access Management (OpenAM) is an access management solution. In versions prior to 16.0.0, if the “claims_parameter_supported” parameter is activated, it is possible, thanks to the “oidc-claims-extension.groovy” script, to inject the value of one’s choice into a claim contained in the id_token or in the user_info. In the request of an authorize function, a claims parameter containing a JSON file can be injected. This JSON file allows attackers to customize the claims returned by the “id_token” and “user_info” files. This allows for a very wide range of vulnerabilities depending on how clients use claims. For example, if some clients rely on an email field to identify a user, an attacker can choose the email address they want, and therefore assume any identity they choose. Version 16.0.0 fixes the issue.

Severity: 8.1 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…