Ambiguities in JSON Web Token Audience Values in OAuth 2.0 Specifications by IETF
CVE-2025-27371

6.9MEDIUM

Key Information:

Vendor

Ietf

Status
Rfc 7523
Vendor
CVE Published:
3 March 2025

What is CVE-2025-27371?

Certain IETF OAuth 2.0-related specifications exhibit ambiguities in the audience values of JSON Web Tokens (JWTs) sent to authorization servers. This issue potentially affects multiple RFCs including RFC 7523, RFC 7521, RFC 7522, RFC 9101 (JAR), and RFC 9126 (PAR). The lack of clarity in audience values can lead to unintended access or misuse of tokens, highlighting a significant security concern within these widely-used specifications.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

RFC 7523 7523

References

https://openid.net/wp-content/uploads/2025/01/OIDF-Respon...
https://openid.net/notice-of-a-security-vulnerability/
https://talks.secworkshop.events/osw2025/talk/R8D9BS/

CVSS V3.1

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.