CVE-2025-53003

Janssen Config API returns results without scope verification

Description

The Janssen Project is an open-source identity and access management (IAM) platform. Prior to version 1.8.0, the Config API returns results without scope verification. This has a large internal surface attack area that exposes all sorts of information from the IDP including clients, users, scripts ..etc. This issue has been patched in version 1.8.0. A workaround for this vulnerability involves users forking and building the config api, patching it in their system following commit 92eea4d.

INFO

Published Date :

2025-07-01T01:22:05.855Z

Last Modified :

2025-07-01T13:34:32.703Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2025-53003 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-53003.

URL	Resource
https://github.com/JanssenProject/jans/commit/92eea4d4637f1cae16ad2f07b2c16378ff3fc5f1
https://github.com/JanssenProject/jans/issues/11575
https://github.com/JanssenProject/jans/releases/tag/v1.8.0
https://github.com/JanssenProject/jans/security/advisories/GHSA-373j-mhpf-84wg

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability