Apache APISIX openid-connect Plugin Introspection Vulnerability Before 3.12.0
CVE-2025-46647 Published on July 2, 2025
Apache APISIX: improper validation of issuer from introspection discovery url in plugin openid-connect
A vulnerability of plugin openid-connect in Apache APISIX.
This vulnerability will only have an impact if all of the following conditions are met:
1. Use the openid-connect plugin with introspection mode
2. The auth service connected to openid-connect provides services to multiple issuers
3. Multiple issuers share the same private key and relies only on the issuer being different
If affected by this vulnerability, it would allow an attacker with a valid account on one of the issuers to log into the other issuer.
This issue affects Apache APISIX: until 3.12.0.
Users are recommended to upgrade to version 3.12.0 or higher.
Vulnerability Analysis
CVE-2025-46647 can be exploited with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Authentication Bypass by Assumed-Immutable Data
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
Products Associated with CVE-2025-46647
Want to know whenever a new CVE is published for Apache Apisix? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache APISIX:- Before 3.12.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.