Microsoft Identity Web Flaw Exposes Sensitive Client Secrets and Certificates

A new vulnerability has been discovered in the Microsoft.Identity.Web NuGet package under specific conditions, potentially exposing sensitive information such as client secrets and certificate details in service logs.

The flaw, identified as CVE-2025-32016, has been rated as moderate, prompting developers to urgently address the issue to prevent unintended data exposure.

Overview of the Vulnerability:

The vulnerability impacts confidential client applications such as daemons, web applications, and web APIs.

Sensitive data, including client secrets, Base64-encoded certificates, or certificate paths with password descriptors, could be exposed when service logs are generated under certain conditions.

Affected Scenarios:

• Logging Level: Logs generated at the “Information” level are vulnerable.
• Credential Descriptions: Certain credential types, such as client secrets, Base64-encoded values, certificate paths with passwords, or invalid/expired certificates, are prone to exposure within service logs.

Service logs are typically intended for secure handling, but this flaw introduces a risk of data leakage under specific configurations.

Applications using invalid or expired certificates may still be affected, regardless of their log level, though credentials in these cases are not usable due to invalidity.

Impact

The vulnerability primarily impacts services meeting the following conditions:

1. Log Level: “Information” for Microsoft.Identity.Web.
2. Credential Description:
   • Base64Encoded Credentials or Certificate Paths with Passwords: Impacted if invalid or expired.
   • Client Secrets: Impacted at “Information” log level.

Other credential descriptions unaffected include those not tied to client secrets, Base64-encoded certificates, or credential paths. Applications whose logs are managed securely are also not impacted.

Recommendations for Production Environments

• Avoid using ClientCredentials with CredentialSource set to:
  • ClientSecret
  • Base64Encoded
  • Path
• Opt for certificates stored in KeyVault or certificate stores. Alternatively, use Federation identity credentials with Managed Identity.

Microsoft has released fixes for the vulnerability. Developers are advised to upgrade to:

• Microsoft.Identity.Web version 3.8.2
• Microsoft.Identity.Abstractions version 9.0.0

For applications unable to upgrade immediately, the following measures are suggested:

1. Secure Service Logs: Ensure logs are securely handled and access is strictly restricted.
2. Log Level Adjustment: Avoid using the “Information” log level for the Microsoft.Identity.Web namespace.

This discovery underscores the importance of secure logging practices and timely application updates.

Developers are strongly encouraged to upgrade to the patched versions or implement alternative workarounds to safeguard sensitive information. 

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!