Identity Spoofing Vulnerability in Open Access Management by OpenIdentityPlatform
CVE-2025-64099

8.1HIGH

Key Information:

Vendor: Openidentityplatform
Status: Openam
Vendor: CVE Published:; 12 November 2025

🔔 Create Openidentityplatform Vulnerability Alert

What is CVE-2025-64099?

Open Access Management (OpenAM) contains a vulnerability that allows attackers to exploit the 'claims_parameter_supported' feature in versions before 16.0.0. By utilizing the 'oidc-claims-extension.groovy' script, attackers can inject arbitrary JSON values into either the id_token or user_info claims. This manipulation enables them to craft custom claims that can impersonate any user, potentially compromising the integrity of user identification mechanisms. Clients that depend on specific user attributes, such as email addresses, are particularly vulnerable as attackers can assume any identity they choose. Version 16.0.0 addresses this security issue.

Affected Version(s)

OpenAM < 16.0.0

References

https://github.com/OpenIdentityPlatform/OpenAM/security/a...

x_refsource_CONFIRM

CVSS V4

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 12, 2025
Vulnerability Reserved
Oct 27, 2025

JSON