CVE-2025-46647

low-risk

Published 2025-07-02

A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-connect provides services to multiple issuers 3. Multiple issuers share the same private key and relies only on the issuer being different If affected by this vulnerability, it would allow an attacker with a valid account on one of the issuers to log into the other issuer. This issue affects Apache APISIX: until 3.12.0. Users are recommended to upgrade to version 3.12.0 or higher.

Do I need to act?

0.11% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Apisix

Affected Vendors

Apache

References (2)

Mailing List https://lists.apache.org/thread/yrpp2cd3o4qkxlrh421mq8gsrt0k4x0w

http://www.openwall.com/lists/oss-security/2025/07/02/1

/ 100

low-risk

Severity 17/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal