CVE-2025-64099: 
Java vulnerability analysis and mitigation

CVE-2025-64099 affects Open Access Management (OpenAM), an access management solution. The vulnerability was discovered and disclosed on November 12, 2025, impacting all versions prior to 16.0.0. The issue allows attackers to inject arbitrary values into claims contained in idtoken or userinfo when the 'claimsparametersupported' parameter is activated, potentially leading to identity impersonation (GitHub Advisory).

The vulnerability exists in the OpenAM's OIDC implementation, specifically in the 'oidc-claims-extension.groovy' script. When the 'claimsparametersupported' parameter is enabled, attackers can inject a JSON file through the authorize function's claims parameter. This JSON file can be used to customize the claims returned by both 'idtoken' and 'userinfo' files. The vulnerability has been assigned a CVSS 4.0 score of 8.1 HIGH with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U (GitHub Advisory).

The vulnerability allows attackers to manipulate identity claims, potentially leading to identity impersonation. For example, if applications rely on email fields for user identification, an attacker can inject any email address of their choice, effectively assuming any user's identity. This creates a significant security risk for systems relying on OpenAM for authentication and authorization (GitHub Advisory).

The vulnerability has been fixed in OpenAM version 16.0.0. Organizations using affected versions should upgrade to version 16.0.0 or later to protect against this vulnerability. No alternative workarounds have been published (GitHub Advisory).