Ambiguities in JSON Web Token Audience Values in OAuth 2.0 Specifications by IETF
CVE-2025-27371

6.9MEDIUM

Key Information:

Vendor: Ietf
Status: Rfc 7523
Vendor: CVE Published:; 3 March 2025

Summary

Certain IETF OAuth 2.0-related specifications exhibit ambiguities in the audience values of JSON Web Tokens (JWTs) sent to authorization servers. This issue potentially affects multiple RFCs including RFC 7523, RFC 7521, RFC 7522, RFC 9101 (JAR), and RFC 9126 (PAR). The lack of clarity in audience values can lead to unintended access or misuse of tokens, highlighting a significant security concern within these widely-used specifications.

Affected Version(s)

RFC 7523 7523

References

https://openid.net/wp-content/uploads/2025/01/OIDF-Respon...

https://openid.net/notice-of-a-security-vulnerability/

https://talks.secworkshop.events/osw2025/talk/R8D9BS/

CVSS V3.1

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 3, 2025
Vulnerability Reserved
Feb 23, 2025