The OpenID Foundation is committed to maintaining the highest security standards in identity protocols and takes security research seriously. As our specifications move towards final, we engage security researchers to conduct a rigorous security analysis and identify any vulnerabilities in the specifications. During a formal analysis of OpenID Federation, a security vulnerability was discovered relating to ambiguities in the audience values of JWTs sent to authorization servers. This vulnerability also impacts other OpenID specifications and OAuth specifications. Corrective actions have already been taken and incorporated into OpenID Foundation specifications and certification tests to address the potential issue. Corrective actions are under way for the affected OAuth specifications as well.  In parallel, we have been working closely with relevant stakeholders to ensure robust mitigation strategies are in place across the implementer and standards communities.

At this time, we are not aware of any known compromises that occurred resulting from this potential attack vector. Some ecosystems that were previously vulnerable have updated their deployments to address the vulnerability. Our focus is on ensuring that all implementers are well-equipped with the guidance needed to secure their deployments effectively.

Our sincere thanks to the University of Stuttgart security researchers Dr. Ralf Küsters, Tim Würtele, and Pedram Hosseyni for their due diligence that led to the identification of this security vulnerability. This discovery is an example of the value of security analysis, partnerships, and community collaboration.

Further details on this security vulnerability can be found here: https://openid.net/wp-content/uploads/2025/01/OIDF-Responsible-Disclosure-Notice-on-Security-Vulnerability-for-private_key_jwt.pdf. Questions relating to your own implementation can be directed to certification@oidf.org.

The vulnerability has been assigned CVE numbers:

• CVE-2025-27370 for OpenID Foundation private_key_jwt as defined in OpenID Connect
• CVE-2025-27371 for IETF OAuth2 JWT client authentication assertions as defined in RFC 7521/7523

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.