CVE-2025-27370

Name of the Vulnerable Software and Affected Versions OpenID Connect Core versions prior to 1.0 errata set 3

Description The issue allows audience injection in certain situations when the private key jwt authentication mechanism is used. A malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issuer identifiers of other Authorization Servers. The malicious Authorization Server could then use these private key JWTs to impersonate the Client.

Recommendations For OpenID Connect Core versions prior to 1.0 errata set 3, consider updating to version 1.0 errata set 3 or later to resolve the issue. As a temporary workaround, restrict the use of the private key jwt authentication mechanism to minimize the risk of exploitation.