CVE-2025-59363: OneLogin Information Disclosure Flaw

CVE-2025-59363 Overview

CVE-2025-59363 affects One Identity OneLogin versions prior to 2025.3.0. The flaw exposes Open ID Connect (OIDC) client secrets through the GET Apps API v2 endpoint. Client secrets should only be returned once, at the time an application is first created. Instead, authenticated callers can retrieve these secrets on subsequent API requests. The issue is classified under [CWE-669: Incorrect Resource Transfer Between Spheres]. An attacker with valid API credentials can harvest OIDC secrets for every configured application and impersonate those applications against the identity provider.

Critical Impact

Authenticated API access allows extraction of OIDC client secrets for all OneLogin-integrated applications, enabling downstream token forgery and federated identity abuse.

Affected Products

• One Identity OneLogin versions before 2025.3.0
• OneLogin Apps API v2 endpoints returning OIDC application configuration
• Tenants with OIDC-integrated applications managed through the OneLogin platform

Discovery Timeline

• 2025-09-14 - CVE-2025-59363 published to the National Vulnerability Database
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-59363

Vulnerability Analysis

The vulnerability resides in the OneLogin Apps API v2 response handler. The GET /api/2/apps/{id} endpoint serializes application configuration data, including OIDC parameters, back to the caller. The serializer fails to strip the client_secret field from responses for existing applications. OIDC client secrets function as bearer credentials between an application and the identity provider. A leaked secret allows an attacker to mint valid tokens, impersonate the application, or complete confidential client authentication flows. The Apps API requires an API credential, so exploitation depends on prior authentication or token theft. However, OneLogin API tokens are commonly scoped broadly and stored in automation systems, which increases the realistic attack surface.

Root Cause

The root cause is improper resource scoping in the API response model. Sensitive fields intended for one-time exposure at creation time are returned on every read operation. This violates the principle that secrets should be write-only after initial generation. The CWE-669 classification reflects the transfer of a credential from a protected sphere (server-side secret store) to a less protected sphere (API response body) without enforcing the intended boundary.

Attack Vector

An attacker with a valid OneLogin API credential issues a GET request to the Apps API v2 endpoint for each application of interest. The response payload contains the OIDC client_secret value alongside non-sensitive metadata. The attacker collects these secrets and uses them against the OneLogin OIDC token endpoint to obtain access tokens as the impersonated application. No user interaction is required, and the action leaves only standard API access log entries. See the OneLogin Knowledge Base Article for vendor-provided technical context.

Detection Methods for CVE-2025-59363

Indicators of Compromise

• Unusual volumes of GET /api/2/apps and GET /api/2/apps/{id} requests from a single API credential within a short window
• API access from IP addresses or ASNs not previously associated with administrative automation
• OIDC token requests using client_credentials or authorization_code grants from unexpected source addresses shortly after Apps API enumeration
• API tokens performing read operations across applications they do not normally manage

Detection Strategies

• Audit OneLogin API logs for sequential or bulk reads of application records, particularly those returning OIDC configuration
• Correlate Apps API read events with subsequent OIDC token issuance to detect secret reuse patterns
• Baseline normal API consumer behavior and alert on deviations in endpoint coverage or request rate
• Treat any API credential capable of reading client_secret values as a Tier 0 asset and monitor accordingly

Monitoring Recommendations

• Forward OneLogin event and API logs into a centralized analytics platform for retention and correlation
• Enable alerting on USER_LOGGED_INTO_API and application read events from non-allowlisted source IPs
• Track issuance of new API credentials and review their scopes against business need
• Monitor downstream service providers for anomalous OIDC token activity tied to OneLogin-issued client IDs

How to Mitigate CVE-2025-59363

Immediate Actions Required

• Upgrade OneLogin to version 2025.3.0 or later, which removes client_secret from Apps API v2 read responses
• Rotate OIDC client secrets for every application configured in OneLogin prior to the upgrade
• Review and revoke OneLogin API credentials with unnecessary Apps read scope
• Audit OneLogin API access logs for the period preceding the patch to identify potential secret harvesting

Patch Information

One Identity addressed the issue in OneLogin 2025.3.0. The fix prevents the Apps API v2 from returning OIDC client secrets on subsequent reads, restoring the intended one-time disclosure at creation. Customers should consult the OneLogin Knowledge Base Article for upgrade guidance and version-specific notes.

Workarounds

• Restrict OneLogin API credentials to the minimum scopes required and remove application read access where not essential
• Allowlist source IP addresses for API consumers and block public internet access to the OneLogin API where possible
• Pre-emptively rotate OIDC client secrets and update dependent applications to reduce the value of any previously leaked material
• Enable mandatory multi-factor authentication on administrative accounts that can create or view API credentials

# Example: rotate an OIDC client secret via the OneLogin API after upgrading to 2025.3.0
curl -X POST "https://<subdomain>.onelogin.com/api/2/apps/<app_id>/secret/rotate" \
  -H "Authorization: Bearer <admin_api_token>" \
  -H "Content-Type: application/json"