Listen to this Post
How the CVE Works:
The vulnerability exists when the `claims_parameter_supported` OpenID Connect setting is enabled. An attacker can craft a malicious authorization request, including a specially formatted `claims` parameter. This parameter contains a JSON payload that defines which claims to be returned in the `id_token` or `user_info` response. The `oidc-claims-extension.groovy` script processes this input without sufficient validation. Consequently, an attacker can inject arbitrary values into any claim. For example, they could set the `email` claim to a value of their choice. If a relying client application uses this claim for user identification or authorization decisions, the attacker can impersonate any user by supplying a corresponding email address, leading to a complete identity takeover.
Platform: OpenAM
Version: < 16.0.3
Vulnerability: Claims Injection
Severity: High
date: 2025-11-12
Prediction: Patch 2025-11-19
What Undercode Say:
curl -X GET "https://openam.example.com/oauth2/authorize? \ client_id=CLIENT& \ scope=openid%20profile& \ response_type=id_token& \ claims=%7B%22id_token%22%3A%7B%22email%22%3A%22attacker%40domain.com%22%7D%7D"
// oidc-claims-extension.groovy snippet def claims = jsonSlurper.parseText(params.claims) // Missing validation on claims values
grep "claims_parameter_supported" /path/to/openam/config
How Exploit:
Craft malicious OIDC request.
Inject JSON in `claims` parameter.
Set arbitrary claim values.
Impersonate users via email.
Protection from this CVE
Update to version 16.0.3.
Disable `claims_parameter_supported` if unused.
Implement input validation in claims script.
Sanitize all user-supplied claim values.
Impact:
Identity Spoofing
Privilege Escalation
Data Integrity Loss
Client Trust Compromise
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
