CVE-2025-59363
📋 TL;DR
This vulnerability in One Identity OneLogin exposes OIDC client secrets through the GET Apps API v2, which should only be accessible during initial app creation. Attackers can obtain these secrets to impersonate legitimate applications and potentially compromise authentication flows. Organizations using OneLogin versions before 2025.3.0 are affected.
💻 Affected Systems
- One Identity OneLogin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain OIDC client secrets, impersonate legitimate applications, bypass authentication, access sensitive user data, and potentially compromise entire identity management infrastructure.
Likely Case
Attackers harvest client secrets to create malicious OIDC applications, perform unauthorized authentication, and access protected resources through compromised identity flows.
If Mitigated
With proper network segmentation and API access controls, impact is limited to potential exposure of client secrets requiring rotation.
🎯 Exploit Status
Exploitation requires authenticated API access to the GET Apps endpoint. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.3.0
Vendor Advisory: https://onelogin.service-now.com/support?id=kb_article&sys_id=b0aad1e11bd3ea109a47ec29b04bcb72&kb_category=a0d76d70db185340d5505eea4b96199f
Restart Required: No
Instructions:
1. Upgrade OneLogin to version 2025.3.0 or later. 2. Verify the upgrade completed successfully. 3. Rotate all OIDC client secrets as a precautionary measure.
🔧 Temporary Workarounds
Restrict API Access
allLimit access to GET Apps API v2 endpoint to only authorized administrators and systems.
Rotate OIDC Client Secrets
allImmediately rotate all OIDC client secrets to invalidate any potentially exposed credentials.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OneLogin systems and restrict API access
- Deploy web application firewall rules to block suspicious API requests to GET Apps endpoints
🔍 How to Verify
Check if Vulnerable:
Check OneLogin version via admin interface. If version is below 2025.3.0, the system is vulnerable.Check Version:
Check admin dashboard or use OneLogin API to query system versionVerify Fix Applied:
After upgrading to 2025.3.0, verify that GET Apps API v2 no longer returns OIDC client secrets in responses.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of GET requests to /api/2/apps endpoint
- API requests from unexpected IP addresses or user agents
Network Indicators:
- Excessive API calls to app endpoints from single sources
- Patterns of credential harvesting behavior
SIEM Query:
source="onelogin" AND (uri_path="/api/2/apps" OR endpoint="GET Apps") | stats count by src_ip, user