Vulnerability in OpenID Connect Plugin for Apache APISIX
CVE-2025-46647

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Apisix
Vendor: CVE Published:; 2 July 2025

What is CVE-2025-46647?

A vulnerability exists in the OpenID Connect plugin for Apache APISIX where, under specific conditions, an attacker with valid credentials from one issuer can gain unauthorized access to services associated with another issuer. This occurs when the plugin is used in introspection mode, multiple issuers share the same private key, and the auth service is configured to serve multiple issuers without proper separation. It is crucial for users of Apache APISIX to upgrade to version 3.12.0 or higher to mitigate this security risk.

Affected Version(s)

Apache APISIX 0 < 3.12.0

References

https://lists.apache.org/thread/yrpp2cd3o4qkxlrh421mq8gsr...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 2, 2025
Vulnerability Reserved
Apr 26, 2025

Credit

Tiernan Messmer