CVE-2025-52924: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in One Identity OneLogin
In One Identity OneLogin before 2025.2.0, the SQL connection "application name" is set based on the value of an untrusted X-RequestId HTTP request header.
AI Analysis
Technical Summary
CVE-2025-52924 is a medium-severity SQL Injection vulnerability affecting One Identity's OneLogin product versions prior to 2025.2.0. The vulnerability arises because the SQL connection parameter "application name" is set dynamically based on the value of the HTTP request header X-RequestId, which is untrusted user input. This improper neutralization of special elements in an SQL command (CWE-89) allows an attacker to inject malicious SQL code via the X-RequestId header. Although the injection point is limited to the connection string parameter rather than direct query parameters, the vulnerability can lead to manipulation of the SQL connection context. According to the CVSS vector (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N), the attack can be executed remotely over the network without authentication or user interaction, but requires high attack complexity. The impact is limited to partial confidentiality loss due to potential exposure of some database metadata or connection details, with no direct integrity or availability impact. The vulnerability affects the way OneLogin establishes its SQL connections, potentially allowing attackers to influence the connection context or gain limited information disclosure. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. This vulnerability highlights the risk of using untrusted HTTP headers to configure database connection parameters without proper sanitization or validation.
Potential Impact
For European organizations using One Identity OneLogin for identity and access management, this vulnerability could lead to limited exposure of sensitive database connection information, potentially aiding attackers in reconnaissance or further exploitation. While the direct impact on confidentiality is low, the vulnerability could be leveraged as part of a multi-stage attack chain targeting authentication infrastructure. Given OneLogin's role in managing user identities and access, any compromise or information leakage could undermine trust in authentication processes, leading to increased risk of unauthorized access or lateral movement within networks. Organizations in Europe relying on OneLogin should be aware that attackers do not need credentials or user interaction to attempt exploitation, although the attack complexity is high. The vulnerability's scope includes all deployments of affected OneLogin versions, which may be present in sectors with stringent regulatory requirements such as finance, healthcare, and government, increasing the potential impact of any compromise.
Mitigation Recommendations
European organizations should immediately verify their OneLogin version and upgrade to 2025.2.0 or later once available, as this version addresses the vulnerability by properly handling the X-RequestId header. In the interim, organizations can implement web application firewall (WAF) rules to detect and block suspicious or malformed X-RequestId headers containing SQL control characters or injection patterns. Network segmentation and strict access controls around OneLogin servers can reduce exposure. Monitoring logs for unusual or unexpected X-RequestId header values and SQL connection anomalies can provide early detection of exploitation attempts. Additionally, organizations should review and harden their database connection configurations to avoid reliance on untrusted input for connection parameters. Engaging with One Identity support for any available patches or workarounds is recommended. Finally, conducting penetration testing focused on injection vectors in authentication infrastructure can help identify residual risks.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Belgium, Italy
CVE-2025-52924: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in One Identity OneLogin
Description
In One Identity OneLogin before 2025.2.0, the SQL connection "application name" is set based on the value of an untrusted X-RequestId HTTP request header.
AI-Powered Analysis
Technical Analysis
CVE-2025-52924 is a medium-severity SQL Injection vulnerability affecting One Identity's OneLogin product versions prior to 2025.2.0. The vulnerability arises because the SQL connection parameter "application name" is set dynamically based on the value of the HTTP request header X-RequestId, which is untrusted user input. This improper neutralization of special elements in an SQL command (CWE-89) allows an attacker to inject malicious SQL code via the X-RequestId header. Although the injection point is limited to the connection string parameter rather than direct query parameters, the vulnerability can lead to manipulation of the SQL connection context. According to the CVSS vector (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N), the attack can be executed remotely over the network without authentication or user interaction, but requires high attack complexity. The impact is limited to partial confidentiality loss due to potential exposure of some database metadata or connection details, with no direct integrity or availability impact. The vulnerability affects the way OneLogin establishes its SQL connections, potentially allowing attackers to influence the connection context or gain limited information disclosure. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. This vulnerability highlights the risk of using untrusted HTTP headers to configure database connection parameters without proper sanitization or validation.
Potential Impact
For European organizations using One Identity OneLogin for identity and access management, this vulnerability could lead to limited exposure of sensitive database connection information, potentially aiding attackers in reconnaissance or further exploitation. While the direct impact on confidentiality is low, the vulnerability could be leveraged as part of a multi-stage attack chain targeting authentication infrastructure. Given OneLogin's role in managing user identities and access, any compromise or information leakage could undermine trust in authentication processes, leading to increased risk of unauthorized access or lateral movement within networks. Organizations in Europe relying on OneLogin should be aware that attackers do not need credentials or user interaction to attempt exploitation, although the attack complexity is high. The vulnerability's scope includes all deployments of affected OneLogin versions, which may be present in sectors with stringent regulatory requirements such as finance, healthcare, and government, increasing the potential impact of any compromise.
Mitigation Recommendations
European organizations should immediately verify their OneLogin version and upgrade to 2025.2.0 or later once available, as this version addresses the vulnerability by properly handling the X-RequestId header. In the interim, organizations can implement web application firewall (WAF) rules to detect and block suspicious or malformed X-RequestId headers containing SQL control characters or injection patterns. Network segmentation and strict access controls around OneLogin servers can reduce exposure. Monitoring logs for unusual or unexpected X-RequestId header values and SQL connection anomalies can provide early detection of exploitation attempts. Additionally, organizations should review and harden their database connection configurations to avoid reliance on untrusted input for connection parameters. Engaging with One Identity support for any available patches or workarounds is recommended. Finally, conducting penetration testing focused on injection vectors in authentication infrastructure can help identify residual risks.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-06-22T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 687b036ea83201eaacf8db36
Added to database: 7/19/2025, 2:31:10 AM
Last enriched: 7/27/2025, 12:46:12 AM
Last updated: 8/15/2025, 11:38:14 PM
Views: 12
Related Threats
CVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52619: CWE-209 Generation of Error Message Containing Sensitive Information in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52618: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in HCL Software BigFix SaaS Remediate
MediumCVE-2025-43201: An app may be able to unexpectedly leak a user's credentials in Apple Apple Music Classical for Android
UnknownActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.