Skip to main content

CVE-2025-52924: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in One Identity OneLogin

Medium
VulnerabilityCVE-2025-52924cvecve-2025-52924cwe-89
Published: Sat Jul 19 2025 (07/19/2025, 00:00:00 UTC)
Source: CVE Database V5
Vendor/Project: One Identity
Product: OneLogin

Description

In One Identity OneLogin before 2025.2.0, the SQL connection "application name" is set based on the value of an untrusted X-RequestId HTTP request header.

AI-Powered Analysis

AILast updated: 07/27/2025, 00:46:12 UTC

Technical Analysis

CVE-2025-52924 is a medium-severity SQL Injection vulnerability affecting One Identity's OneLogin product versions prior to 2025.2.0. The vulnerability arises because the SQL connection parameter "application name" is set dynamically based on the value of the HTTP request header X-RequestId, which is untrusted user input. This improper neutralization of special elements in an SQL command (CWE-89) allows an attacker to inject malicious SQL code via the X-RequestId header. Although the injection point is limited to the connection string parameter rather than direct query parameters, the vulnerability can lead to manipulation of the SQL connection context. According to the CVSS vector (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N), the attack can be executed remotely over the network without authentication or user interaction, but requires high attack complexity. The impact is limited to partial confidentiality loss due to potential exposure of some database metadata or connection details, with no direct integrity or availability impact. The vulnerability affects the way OneLogin establishes its SQL connections, potentially allowing attackers to influence the connection context or gain limited information disclosure. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. This vulnerability highlights the risk of using untrusted HTTP headers to configure database connection parameters without proper sanitization or validation.

Potential Impact

For European organizations using One Identity OneLogin for identity and access management, this vulnerability could lead to limited exposure of sensitive database connection information, potentially aiding attackers in reconnaissance or further exploitation. While the direct impact on confidentiality is low, the vulnerability could be leveraged as part of a multi-stage attack chain targeting authentication infrastructure. Given OneLogin's role in managing user identities and access, any compromise or information leakage could undermine trust in authentication processes, leading to increased risk of unauthorized access or lateral movement within networks. Organizations in Europe relying on OneLogin should be aware that attackers do not need credentials or user interaction to attempt exploitation, although the attack complexity is high. The vulnerability's scope includes all deployments of affected OneLogin versions, which may be present in sectors with stringent regulatory requirements such as finance, healthcare, and government, increasing the potential impact of any compromise.

Mitigation Recommendations

European organizations should immediately verify their OneLogin version and upgrade to 2025.2.0 or later once available, as this version addresses the vulnerability by properly handling the X-RequestId header. In the interim, organizations can implement web application firewall (WAF) rules to detect and block suspicious or malformed X-RequestId headers containing SQL control characters or injection patterns. Network segmentation and strict access controls around OneLogin servers can reduce exposure. Monitoring logs for unusual or unexpected X-RequestId header values and SQL connection anomalies can provide early detection of exploitation attempts. Additionally, organizations should review and harden their database connection configurations to avoid reliance on untrusted input for connection parameters. Engaging with One Identity support for any available patches or workarounds is recommended. Finally, conducting penetration testing focused on injection vectors in authentication infrastructure can help identify residual risks.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2025-06-22T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 687b036ea83201eaacf8db36

Added to database: 7/19/2025, 2:31:10 AM

Last enriched: 7/27/2025, 12:46:12 AM

Last updated: 8/18/2025, 1:22:23 AM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats