CVE-2024-21643 HIGH

CVE-2024-21643: Microsoft.IdentityModel.Protocols.SignedHttpRequest remote code execution vulnerability

Vendor Azuread
Product azure-activedirectory-identitymodel-extensions-for-dotnet
Weakness CWE-94 · Code injection
Published January 10, 2024
Last update June 10, 2025

CVSS base score

7.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

IdentityModel Extensions for .NET provide assemblies for web developers that wish to use federated identity providers for establishing the caller's identity. Anyone leveraging the `SignedHttpRequest`protocol or the `SignedHttpRequestValidator`is vulnerable. Microsoft.IdentityModel trusts the `jku`claim by default for the `SignedHttpRequest`protocol. This raises the possibility to make any remote or local `HTTP GET` request. The vulnerability has been fixed in Microsoft.IdentityModel.Protocols.SignedHttpRequest. Users should update all their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or higher, 6.34.0 (for 6x) or higher.

Key dates

02Disclosure timeline

January 10, 2024 CVE published
June 10, 2025 Record updated