CVE-2025-27371
CVE-2025-27371
In short
When using JSON Web Tokens (JWTs) for OAuth 2.0 client authentication, there are unclear rules about which audience values should be accepted by authorization servers. This ambiguity could allow attackers to craft tokens that bypass intended security checks.
Technical detail
CWE-305 (Missing Cryptographic Step) stems from ambiguous audience claim validation in JWT-based OAuth 2.0 client authentication flows across multiple RFCs (7523, 7521, 7522, 9101, 9126). An attacker can exploit inconsistent audience validation logic to present JWTs with crafted audience values that different implementations may accept differently, potentially leading to unauthorized token issuance or authentication bypass.
Summary generated and translated by AI from the official description.
In certain IETF OAuth 2.0-related specifications, when the JSON Web Token Profile for OAuth 2.0 Client Authentication mechanism is used, there are ambiguities in the audience values of JWTs sent to authorization servers. The affected RFCs may include RFC 7523, and also RFC 7521, RFC 7522, RFC 9101 (JAR), and RFC 9126 (PAR).
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
Affected products
IETF · RFC 7523Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://eprint.iacr.org/2025/629https://github.com/OWASP/ASVS/issues/2678https://openid.net/notice-of-a-security-vulnerability/https://openid.net/wp-content/uploads/2025/01/OIDF-Responsible-Disclosure-Notice-on-Security-Vulnerability-for-private_key_jwt.pdfhttps://talks.secworkshop.events/osw2025/talk/R8D9BS/