Headline
GHSA-39hr-239p-fhqc: OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed
Summary
If the “claims_parameter_supported” parameter is activated, it is possible through the “oidc-claims-extension.groovy” script, to inject the value of choice into a claim contained in the id_token or in the user_info. Authorization function requests do not prevent a claims parameter containing a JSON file to be injected. This JSON file allows users to customize claims returned by the “id_token” and “user_info” files. This allows for a very wide range of vulnerabilities depending on how clients use claims. For example, if some clients rely on an email field to identify a user, users can choose to entera any email address, and therefore assume any chosen identity.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-64099
OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed
Package
maven org.openidentityplatform.openam:openam-oauth2 (Maven)
Affected versions
< 16.0.3
Summary
If the “claims_parameter_supported” parameter is activated, it is possible through the “oidc-claims-extension.groovy” script, to inject the value of choice into a claim contained in the id_token or in the user_info.
Authorization function requests do not prevent a claims parameter containing a JSON file to be injected. This JSON file allows users to customize claims returned by the “id_token” and “user_info” files.
This allows for a very wide range of vulnerabilities depending on how clients use claims. For example, if some clients rely on an email field to identify a user, users can choose to entera any email address, and therefore assume any chosen identity.
References
- GHSA-39hr-239p-fhqc
- OpenIdentityPlatform/OpenAM@4254b34
- https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.0.3
Published to the GitHub Advisory Database
Nov 12, 2025
Last updated
Nov 12, 2025