CVE-2025-64099: 
Java vulnerability analysis and mitigation

CVE-2025-64099 affects Open Access Management (OpenAM), an access management solution. The vulnerability was discovered and disclosed on November 12, 2025. The issue affects all versions prior to 16.0.0 and allows attackers to manipulate OIDC claims through the claims_parameter_supported functionality (GitHub Advisory).

The vulnerability exists in the oidc-claims-extension.groovy script when the claims_parameter_supported parameter is activated. The root cause is in the attributeRetriever closure which fails to validate user-provided claim values against the user's actual identity. The vulnerability has received a CVSS 4.0 score of 8.1 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U. The issue is classified as CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (GitHub Advisory, NVD).

The vulnerability allows attackers to inject arbitrary values into claims contained in the id_token or user_info. This enables a wide range of potential attacks depending on how clients use claims. For example, if clients rely on email fields for user identification, an attacker can forge any email address and assume any identity, effectively bypassing authentication controls (GitHub Advisory, Miggo).

The vulnerability has been fixed in OpenAM version 16.0.0. The patch addresses the issue by comparing the requested claim value with the value retrieved from the user's identity and rejecting any mismatches. Organizations using affected versions should upgrade to version 16.0.0 or later (GitHub Advisory).