CVE-2025-46647: 
Apache APISIX vulnerability analysis and mitigation

A vulnerability (CVE-2025-46647) has been identified in the openid-connect plugin of Apache APISIX, discovered and reported by JunXu Chen and credited to security researcher Tiernan Messmer on July 2, 2025. The vulnerability affects Apache APISIX versions prior to 3.12.0 and has been rated as 'Important' with a CVSS v3.1 base score of 5.3 (Medium) (NVD, Security Online).

The vulnerability stems from improper validation of the token issuer in the OpenID Connect plugin when used in introspection mode. The flaw manifests when three specific conditions are met: 1) The openid-connect plugin is used in introspection mode, 2) The authentication service connected to the plugin supports multiple issuers, and 3) Multiple issuers share the same private key and rely solely on the issuer value for differentiation. The vulnerability is classified as CWE-302 (Authentication Bypass by Assumed-Immutable Data) (NVD, GBHackers).

If successfully exploited, this vulnerability would allow an attacker with valid credentials on one issuer to gain unauthorized access to resources protected by another issuer, effectively bypassing cross-issuer boundaries. This is particularly concerning in multi-tenant enterprise environments or federated cloud architectures where a single identity provider is used across multiple logical domains (Security Online).

Users are strongly advised to upgrade to Apache APISIX version 3.12.0 or higher, which contains the fix for this vulnerability. The Apache APISIX team has addressed the issue by implementing proper validation of the issuer in the openid-connect plugin (NVD).