Microsoft Identity Web Vulnerability Exposes Client Secrets and Certificates

A moderate severity security vulnerability (CVE-2025-32016) in Microsoft Identity Web has been identified that could expose sensitive information such as client secrets and certificate details in service logs.

Microsoft announced the vulnerability yesterday, along with patches and workarounds to mitigate potential security risks.

The vulnerability, tracked as GHSA-rpq8-q44m-2rpg, impacts versions 3.2.0 through 3.8.1 of Microsoft.Identity.Web, a library widely used for integrating Azure Active Directory authentication into .NET applications.

With a CVSS score of 4.7, security researchers classify this as a moderate-severity issue.

Vulnerability Details and Impact Assessment

This security flaw specifically affects confidential client applications, including daemons, web apps, and web APIs that use Microsoft Identity Web for authentication.

Under certain conditions, sensitive authentication information could be inadvertently written to service logs, potentially exposing private credentials.

The vulnerability is triggered when logs are generated at the information level and contain credential descriptions with any of the following:

• Local file paths with passwords
• Base64 encoded values
• Client secrets

Additionally, logs of services using Base64 encoded certificates or certificate paths with password credential descriptions are affected if the certificates are invalid or expired, regardless of the log level setting.

However, Microsoft notes that these credentials are not usable due to their invalid or expired status.

Security researcher Jennyf19, who published the vulnerability details, emphasized that applications properly securing their service logs may not be impacted.

However, organizations should still take immediate action to address the potential exposure.

Mitigation Strategies and Recommended Actions

Microsoft has released patches to address this vulnerability.

Organizations using the affected software should update to Microsoft.Identity.Web version 3.8.2 or Microsoft.Identity.Abstractions version 9.0.0

For organizations unable to update immediately, Microsoft has provided several workarounds:

1. Ensure that service logs are handled securely with restricted access
2. Avoid using LogLevel = Information for Microsoft.Identity.Web namespace
3. Do not use ClientCredentials with CredentialDescriptions that have CredentialSource set to ClientSecret, Base64Encoded, or Path

For production environments, Microsoft recommends using certificates from KeyVault or a certificate store or implementing Federation identity credentials with managed identity instead of the vulnerable credential format.

The vulnerability was made public through Microsoft’s Identity Bounty Program, which offers rewards ranging from $750 to $100,000 for identifying vulnerabilities in identity products and services.

The changelog for Microsoft Identity Web 3.8.2 confirms the update to Microsoft Identity.

Abstractions 9.0.0 is the primary change in this security release.

This represents the third update in April 2025 for the Microsoft Identity Web library, following versions 3.8.0 and 3.8.1 released earlier.

Organizations using Microsoft Identity Web in their authentication workflows should prioritize this update to prevent the potential exposure of sensitive credential information in their service logs.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates