CVE-2025-27370 is a medium-severity vulnerability affecting OpenID Connect Core through version 1.0 errata set 2. The issue arises from an authentication bypass caused by a primary weakness in the private_key_jwt authentication mechanism. Specifically, a malicious Authorization Server can exploit audience injection vulnerabilities to manipulate the 'audience' claim within JWT tokens. This manipulation allows the attacker to insert attacker-controlled values such as token endpoints or issuer identifiers of other legitimate Authorization Servers. Consequently, the malicious Authorization Server can leverage these crafted private key JWTs to impersonate the Client, effectively bypassing authentication controls. This vulnerability stems from CWE-305, which relates to authentication bypass by primary weakness, indicating that the core authentication logic can be subverted under certain conditions. The flaw does not require user interaction but does require the presence of a malicious or compromised Authorization Server within the OpenID Connect ecosystem. No known exploits are currently reported in the wild, and no patches have been officially released as of the publication date. The vulnerability impacts implementations of OpenID Connect that rely on the private_key_jwt client authentication method and do not adequately validate the audience claim, thus allowing cross-issuer token misuse and client impersonation.

For European organizations, this vulnerability poses significant risks, especially for those relying heavily on OpenID Connect for federated identity and single sign-on (SSO) solutions. Successful exploitation could lead to unauthorized access to sensitive systems by allowing attackers to impersonate legitimate clients, potentially bypassing multi-factor authentication and other security controls. This can result in data breaches, unauthorized transactions, and lateral movement within corporate networks. Critical sectors such as finance, healthcare, government, and telecommunications, which often use OpenID Connect for identity federation, are particularly at risk. The compromise of client identities could undermine trust in identity providers and disrupt secure access to cloud services and internal applications. Additionally, the ability to impersonate clients may facilitate further attacks, including privilege escalation and data exfiltration. Given the interconnected nature of European digital infrastructure and the reliance on identity federation for compliance with regulations like eIDAS and GDPR, the impact could extend beyond individual organizations to affect broader supply chains and citizen services.

To mitigate this vulnerability, European organizations should: 1) Immediately review and audit their OpenID Connect implementations, focusing on the private_key_jwt authentication method. 2) Ensure strict validation of the 'audience' claim in JWT tokens, verifying that it matches the expected token endpoint or issuer identifier for the specific Authorization Server. 3) Limit trust relationships to only well-vetted and trusted Authorization Servers, avoiding acceptance of tokens from unknown or untrusted issuers. 4) Implement additional monitoring and anomaly detection for unusual authentication patterns that could indicate client impersonation attempts. 5) Where possible, transition to alternative client authentication methods less susceptible to audience injection, such as mutual TLS or client secrets, until patches or updates addressing this vulnerability are available. 6) Engage with OpenID Connect vendors and open-source communities to track patch releases and apply updates promptly once available. 7) Conduct penetration testing and threat modeling exercises to assess exposure and validate the effectiveness of mitigations. 8) Educate security teams and developers about the risks of audience injection and the importance of strict token validation in federated identity systems.