Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64099

CVE-2025-64099: OpenAM Authentication Bypass Vulnerability

CVE-2025-64099 is an authentication bypass vulnerability in Open Access Management (OpenAM) that allows attackers to inject malicious claims and assume arbitrary identities. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-64099 Overview

CVE-2025-64099 affects Open Access Management (OpenAM), an open-source access management solution maintained by the Open Identity Platform. The vulnerability exists in versions prior to 16.0.0 when the claims_parameter_supported parameter is enabled. Attackers can exploit the oidc-claims-extension.groovy script to inject arbitrary values into claims contained in the id_token or user_info response. This injection enables identity spoofing against any client application that trusts OpenAM-issued claims for user identification. The vulnerability is tracked as CWE-74: Improper Neutralization of Special Elements in Output. Version 16.0.0 resolves the issue.

Critical Impact

Attackers can forge OpenID Connect claims to impersonate arbitrary users, bypassing authentication controls in any downstream client that relies on injected claim values such as email address.

Affected Products

  • Open Identity Platform OpenAM versions prior to 16.0.0
  • OpenAM deployments with claims_parameter_supported enabled
  • OpenID Connect (OIDC) relying parties consuming OpenAM id_token or user_info claims

Discovery Timeline

  • 2025-11-12 - CVE-2025-64099 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-64099

Vulnerability Analysis

The vulnerability is a claims injection flaw in the OpenID Connect (OIDC) implementation of OpenAM. When claims_parameter_supported is activated, the authorization endpoint accepts a claims parameter containing a JSON document. The oidc-claims-extension.groovy script processes this input without enforcing trust boundaries on the values being asserted.

An attacker submits a crafted claims request parameter to the /authorize endpoint. The Groovy extension propagates attacker-controlled values into the issued id_token and user_info response. Downstream clients receive tokens that appear cryptographically valid and signed by the trusted authorization server.

The impact scales with how relying parties consume claims. Applications that key user accounts on the email claim are particularly exposed. An attacker can assert any email address and assume the identity of the corresponding user inside that application.

Root Cause

The oidc-claims-extension.groovy script lacks input validation and neutralization on values supplied through the OIDC claims request parameter. Attacker-supplied JSON content flows directly into the claim set returned to clients, allowing override of authoritative identity attributes.

Attack Vector

Exploitation requires network access to the OpenAM authorization endpoint and no prior authentication. The attacker constructs an authorization request that includes a claims parameter containing a JSON object specifying the desired override values for id_token or userinfo claims. After completing the authorization flow under their own account, the attacker receives a token containing the injected values and presents it to a vulnerable relying party.

No verified public proof-of-concept is available. Refer to the GitHub Security Advisory GHSA-39hr-239p-fhqc for technical details from the maintainers.

Detection Methods for CVE-2025-64099

Indicators of Compromise

  • Authorization requests to /oauth2/authorize containing a claims query parameter with JSON specifying email, sub, preferred_username, or other identity attributes
  • id_token issuance events where claim values do not match the authenticated subject in the OpenAM user store
  • Application-layer logins where the OIDC sub and email claims map to different OpenAM principals than expected

Detection Strategies

  • Inspect OpenAM access logs for HTTP requests containing the claims= parameter and decode embedded JSON for unexpected attribute overrides
  • Correlate authentication events in OpenAM against downstream relying party login records to identify identity mismatches
  • Enable verbose logging in the oidc-claims-extension.groovy script execution path to capture inbound claim override requests

Monitoring Recommendations

  • Alert on any use of the claims request parameter if your deployment does not legitimately require it
  • Monitor for spikes in /authorize endpoint traffic from unusual source IP ranges
  • Track issued id_token payloads and flag tokens where claim values diverge from the authoritative identity store

How to Mitigate CVE-2025-64099

Immediate Actions Required

  • Upgrade OpenAM to version 16.0.0, which contains the fix for this vulnerability
  • If immediate upgrade is not possible, disable claims_parameter_supported in the OIDC provider configuration
  • Audit all OIDC relying parties that rely on OpenAM-issued claims for user identification, particularly those using email as a primary key
  • Review historical authorization logs for prior abuse of the claims request parameter

Patch Information

The Open Identity Platform released OpenAM 16.0.0 to address this vulnerability. The fix is documented in the GitHub Security Advisory GHSA-39hr-239p-fhqc. Administrators should test the upgrade in a staging environment before production rollout due to the major version change.

Workarounds

  • Set claims_parameter_supported to false in the OIDC provider advanced configuration to block the injection vector
  • Deploy a reverse proxy or web application firewall rule that strips the claims parameter from inbound /authorize requests
  • Reconfigure relying parties to identify users by the sub claim verified against OpenAM rather than mutable attributes such as email
  • Restrict access to the OpenAM authorization endpoint by network segmentation where feasible
bash
# Disable claims_parameter_supported via ssoadm (workaround)
ssoadm set-attr-defs \
  -s OAuth2Provider \
  -t organization \
  -e / \
  -u amadmin \
  -f /path/to/passwordfile \
  -a forgerock-oauth2-provider-claims-parameter-supported=false

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.