A moderate-severity vulnerability has been identified in Microsoft Identity Web. Under specific conditions, it could potentially expose sensitive client secrets and certificate information in service logs.
The flaw, tracked as CVE-2025-32016, impacts versions 3.2.0 through 3.8.1 of the library and has prompted an urgent advisory from Microsoft.
The vulnerability affects Microsoft.Identity.Web, a widely used NuGet package that simplifies Azure Active Directory authentication for .NET applications.
It is commonly employed in confidential client applications, including daemons, web apps, and web APIs.
Overview of the Vulnerability
The issue arises when sensitive authentication information is logged under certain configurations, specifically:
Log Level: Logs are generated at the Information level.
Credential Descriptions: Logs containing local file paths with passwords, Base64 encoded values, or client secrets.
Invalid or Expired Certificates: Logs of services using invalid or expired Base64 encoded certificates or certificate paths with password credential descriptions.
“This vulnerability affects confidential client applications, including daemons, web apps, and web APIs. Under specific circumstances, sensitive information such as client secrets or certificate details may be exposed in the service logs of these applications,” states the advisory.
Marcel Michau was credited with the discovery, and Jean-Marc Prieur and Jenny Ferris from the Microsoft Identity team handled remediation development.
The summary of the vulnerability is given below:
| Risk Factors | Details |
| Affected Products | Microsoft.Identity.Web (versions 3.2.0 to <3.8.2) and Microsoft.Identity.Abstractions (versions 7.1.0 to <9.0.0) |
| Impact | Exposure of sensitive information |
| Exploit Prerequisites | – Logging level set to Information.- Logs containing credential descriptions such as Base64 encoded values, client secrets, or invalid/expired certificates. |
| CVSS 3.1 Score | 4.7 (Moderate Severity) |
Impact of the Vulnerability
The exposure specifically occurs under the following conditions:
- When service logs are generated at the LogLevel = Information for the Microsoft.Identity.Web namespace
- When credential descriptions contain local file paths with passwords, Base64 encoded values, or client secrets
- When logs include Base64 encoded certificates or certificate paths with password credential descriptions that are invalid or expired (regardless of log level)
The vulnerability received a CVSS score of 4.7, reflecting its moderate severity. While the impact depends on how securely service logs are handled, organizations with inadequate log protection practices could face significant security risks if malicious actors obtain these credentials.
Microsoft has released patches to address this issue, with users urged to update to:
- Microsoft.Identity.Web version 3.8.2
- Microsoft.Identity.Abstractions version 9.0.0.
The patched versions prevent the logging of sensitive authentication information.
For organizations unable to immediately update their packages, several workarounds have been suggested:
- Ensure service logs are handled securely with restricted access
- Avoid using LogLevel = Information for the Microsoft.Identity.Web namespace
- For production environments, avoid using ClientCredentials with CredentialDescriptions where CredentialSource is set to ClientSecret, Base64Encoded, or Path
Security experts recommend using certificates from KeyVault or a certificate store, or implementing Federation identity credentials with Managed Identity as more secure alternatives.
The advisory notes that “Service logs are intended to be handled securely,” emphasizing that organizations with proper log security measures may not be impacted.
However, the widespread use of Microsoft Identity Web across enterprise applications makes this vulnerability particularly concerning.
This vulnerability highlights the critical importance of secure logging practices, especially when handling authentication credentials.
Organizations using affected versions of Microsoft Identity Web are strongly encouraged to implement the necessary updates or workarounds to protect their authentication credentials from potential exposure.
Application Security is no longer just a defensive play, Time to Secure -> Free Webinar
The post Microsoft Identity Web Package Vulnerability Exposes Client Secrets & Certificate Information appeared first on Cyber Security News.
The original article found on Cyber Security News Read More
.webp)
_rcphotostock_Alamy.jpg)