Is org.openidentityplatform.openam:openam-oauth2 affected by CVE-2025-64099?

Maven org.openidentityplatform.openam:openam-oauth2 is affected in <16.0.3.

Is CVE-2025-64099 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

high

CVE-2025-64099

Q: Is CVE-2025-64099 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

Maven · org.openidentityplatform.openam:openam-oauth2

Summary

OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed

Severity: high
EPSS: 0.3% (p20)
Also known as: GHSA-39hr-239p-fhqc
Published: 2025-11-12

References

https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-39hr-239p-fhqc
https://nvd.nist.gov/vuln/detail/CVE-2025-64099
https://github.com/OpenIdentityPlatform/OpenAM/commit/4254b34b2b8b4867f2e7fccfac73904213d48510

Related advisories

CVE-2024-41667 — high · Maven/org.openidentityplatform.openam:openam-oauth2

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.