QwikSec

Security Database

CVE

CWE

Training

CVE-2025-27371

Published: Mar 3, 2025

Modified: Apr 25, 2025

PUBLISHED

CVSS v3.1

6.9

MEDIUM

Description

In certain IETF OAuth 2.0-related specifications, when the JSON Web Token Profile for OAuth 2.0 Client Authentication mechanism is used, there are ambiguities in the audience values of JWTs sent to authorization servers. The affected RFCs may include RFC 7523, and also RFC 7521, RFC 7522, RFC 9101 (JAR), and RFC 9126 (PAR).

Vendor	Product	Versions
IETF	RFC 7523	affected `7523`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

None

References

https://openid.net/wp-content/uploads/2025/01/OIDF-Responsible-Disclosure-Notice-on-Security-Vulnerability-for-private_key_jwt.pdf

https://openid.net/notice-of-a-security-vulnerability/

https://talks.secworkshop.events/osw2025/talk/R8D9BS/

https://github.com/OWASP/ASVS/issues/2678

https://eprint.iacr.org/2025/629

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.