CVE-2025-59363 in OneLogin
Summary
by MITRE • 09/14/2025
In One Identity OneLogin before 2025.3.0, a request returns the OIDC client secret with GET Apps API v2 (even though this secret should only be returned when an App is first created),
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/14/2025
The vulnerability identified as CVE-2025-59363 affects One Identity OneLogin software versions prior to 2025.3.0, representing a critical information disclosure flaw that violates fundamental security principles of credential management. This vulnerability specifically impacts the OpenID Connect (OIDC) client secret handling within the Apps API v2 endpoint, where sensitive authentication credentials are inadvertently exposed during routine API requests. The issue stems from improper access control and data exposure mechanisms within the application's API response handling, where the system fails to enforce appropriate authorization checks before returning confidential client secret information.
The technical implementation flaw resides in the API response logic where the GET Apps API v2 endpoint returns OIDC client secrets regardless of the request context or user permissions. This behavior directly contravenes established security practices for credential management and violates the principle of least privilege. According to CWE-200, this represents an information disclosure vulnerability where sensitive data is exposed to unauthorized parties. The flaw essentially allows any authenticated user with access to the Apps API v2 endpoint to retrieve client secrets that should only be accessible during initial application creation or through specific administrative operations. This misconfiguration creates a significant attack surface where malicious actors could potentially exploit the exposed secrets to impersonate applications or gain unauthorized access to integrated services.
The operational impact of this vulnerability extends beyond simple credential exposure, as OIDC client secrets serve as critical authentication tokens that enable secure communication between applications and identity providers. When these secrets are exposed through unauthorized API access, attackers can potentially impersonate legitimate applications, perform unauthorized authentication requests, and gain access to protected resources within the OneLogin ecosystem. The vulnerability enables a range of malicious activities including but not limited to application spoofing, unauthorized data access, and potential lateral movement within the identity infrastructure. This exposure particularly affects organizations that rely on OneLogin for identity management and single sign-on operations, as the compromised secrets could be used to bypass authentication mechanisms and gain unauthorized access to enterprise resources.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1566, which involves credential harvesting through various attack vectors including API exploitation and information gathering. The flaw creates an opportunity for attackers to escalate privileges and move laterally within the network environment by leveraging the exposed secrets to authenticate as legitimate applications. Organizations using vulnerable versions of OneLogin face significant risk of unauthorized access to their identity infrastructure, potentially leading to data breaches and compromised user credentials. The vulnerability's impact is amplified by the fact that client secrets are often used across multiple systems and services, meaning a single exposed secret could compromise multiple applications within the organization's infrastructure. Security teams should immediately implement mitigation strategies including immediate patching of affected systems, monitoring for unauthorized API access, and revocation of exposed secrets to prevent further exploitation.
The remediation approach should prioritize immediate deployment of the patched OneLogin version 2025.3.0 or later, which addresses the improper secret exposure behavior through enhanced API access controls and proper credential handling mechanisms. Organizations should also implement additional monitoring controls to detect unauthorized access attempts to the Apps API v2 endpoint and establish automated alerting for suspicious credential exposure patterns. Configuration reviews should ensure that API endpoints properly enforce authorization checks and that sensitive data is only returned to authorized users with appropriate privileges. The vulnerability highlights the importance of proper API security design and demonstrates how seemingly minor implementation flaws can create significant security risks in identity management systems.