CVE-2025-53003 HIGH

CVE-2025-53003: Janssen Config API returns results without scope verification

Vendor Janssenproject

Product jans

Weakness CWE-200 · Info exposure

Published July 1, 2025

Last update July 1, 2025

View on NVD All CVEs

CVSS base score

8.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The Janssen Project is an open-source identity and access management (IAM) platform. Prior to version 1.8.0, the Config API returns results without scope verification. This has a large internal surface attack area that exposes all sorts of information from the IDP including clients, users, scripts ..etc. This issue has been patched in version 1.8.0. A workaround for this vulnerability involves users forking and building the config api, patching it in their system following commit 92eea4d.

Key dates

02Disclosure timeline

July 1, 2025 CVE published

July 1, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-53003 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2025-53003: Janssen Config API returns results without scope verification

01Description

02Disclosure timeline

03References

04Related CVE