Introduction
Exposure of OIDC client secrets through a public API can enable attackers to impersonate enterprise applications and compromise authentication flows. CVE-2025-59363 directly impacts organizations using One Identity OneLogin before version 2025.3.0, where sensitive credentials were retrievable via the GET Apps API v2 endpoint, creating a significant risk for any environment relying on federated identity.
One Identity is a major identity and access management vendor, with OneLogin serving as a widely adopted cloud-based SSO and identity federation platform. OneLogin is used by thousands of organizations globally to centralize authentication and authorization, making vulnerabilities in its core authentication flows highly impactful.
Technical Information
CVE-2025-59363 is rooted in the GET Apps API v2 endpoint in OneLogin versions before 2025.3.0. This endpoint, intended for retrieving application configuration, would return the OIDC client secret field in its response, even for routine queries after app creation. According to OIDC best practices and security standards, the client secret should only be provided at the time of application registration and never exposed in subsequent API responses.
The flaw is classified as CWE-669 (Incorrect Resource Transfer Between Spheres). In this case, the sensitive OIDC client secret was transferred from a secure context (where it should be tightly controlled) to a broader API consumer context, violating least privilege and information boundary principles. Any user or system with access to the GET Apps API v2 could enumerate applications and retrieve their client secrets, enabling:
- Application impersonation by using the secret to authenticate as the app
- Manipulation of authentication flows, potentially issuing tokens or accessing user data
- Lateral movement across federated applications if secrets are reused or permissions are broad
No public code snippets or exploit scripts are available, but the mechanism is confirmed in vendor documentation and release notes.
Affected Systems and Versions
- Product: One Identity OneLogin
- Affected versions: All versions before 2025.3.0
- Vulnerable configuration: Any deployment where the GET Apps API v2 endpoint is accessible and OIDC applications are configured
Vendor Security History
One Identity has experienced several notable vulnerabilities in 2025, including critical issues in its Active Directory Connector (CVE-2025-52925). The vendor has issued timely patches for these flaws, but the recurrence of high-impact vulnerabilities in authentication flows points to ongoing challenges in secure software development and testing. Organizations should monitor One Identity advisories and ensure rapid patching of core authentication infrastructure.