CVE-2025-64099 is an injection vulnerability classified under CWE-74 affecting OpenIdentityPlatform's OpenAM access management solution in versions prior to 16.0.0. When the 'claims_parameter_supported' parameter is enabled, the 'oidc-claims-extension.groovy' script processes a JSON-formatted claims parameter in authorization requests without proper neutralization of special elements. This allows an attacker to inject arbitrary JSON claims into the id_token and user_info responses. Since these tokens are often used by clients to identify and authorize users, an attacker can manipulate claims such as the email address to impersonate any user. The vulnerability is exploitable remotely without authentication or user interaction, increasing its risk. The CVSS 4.0 base score is 8.1 (high), reflecting its network attack vector, low complexity, and high impact on confidentiality, integrity, and availability of identity assertions. The flaw stems from improper sanitization of input data used downstream in token generation, enabling injection attacks that can compromise identity trust. The issue was publicly disclosed on November 12, 2025, and fixed in OpenAM 16.0.0. No known exploits are currently reported in the wild, but the potential for identity spoofing and unauthorized access is significant, especially in environments relying heavily on OpenAM for authentication and authorization.

For European organizations, this vulnerability poses a critical risk to identity and access management systems. Exploitation can lead to unauthorized access by impersonating legitimate users, potentially bypassing security controls and gaining access to sensitive data and systems. This undermines trust in authentication tokens and can facilitate lateral movement within networks, data breaches, and fraud. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on OpenAM for single sign-on (SSO) and identity federation are particularly vulnerable. The impact extends to regulatory compliance, as identity compromise can lead to violations of GDPR and other data protection laws, resulting in legal and financial penalties. The ease of exploitation without authentication or user interaction increases the urgency for mitigation. Additionally, the wide range of possible injected claims means attackers can tailor attacks to specific client implementations, complicating detection and response.

The primary mitigation is to upgrade all OpenAM deployments to version 16.0.0 or later, where the vulnerability is fixed. Organizations should audit their use of the 'claims_parameter_supported' feature and disable it if not required. Review client applications that consume id_token and user_info claims to ensure they do not blindly trust or rely solely on claims for critical identity decisions, especially fields like email addresses. Implement additional validation and verification mechanisms on the client side to detect anomalous or unexpected claim values. Employ strict input validation and sanitization on any user-controllable parameters related to identity tokens. Monitor logs for unusual authorization requests containing suspicious claims parameters. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block injection attempts targeting the claims parameter. Conduct penetration testing and code reviews focused on identity token handling and claims processing. Finally, maintain an incident response plan tailored to identity compromise scenarios.