CVE-2025-59363 is a high-severity vulnerability affecting One Identity's OneLogin product versions prior to 2025.3.0. The vulnerability is categorized under CWE-669, which pertains to Incorrect Resource Transfer Between Spheres. Specifically, the issue arises because the GET Apps API v2 endpoint improperly returns the OpenID Connect (OIDC) client secret when queried. Normally, the OIDC client secret should only be disclosed once during the initial creation of an application to maintain confidentiality. However, due to this flaw, subsequent GET requests to the Apps API v2 endpoint leak the client secret, exposing sensitive authentication credentials. The vulnerability has a CVSS 3.1 base score of 7.7, reflecting its high severity. The vector indicates that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially compromised component. The impact is high on confidentiality (C:H), with no impact on integrity (I:N) or availability (A:N). Although no known exploits are currently reported in the wild, the exposure of OIDC client secrets can facilitate unauthorized access, token forgery, or impersonation attacks, potentially compromising identity and access management within affected environments. This vulnerability undermines the security model of OneLogin's API by leaking secrets that should be tightly controlled, increasing the risk of lateral movement or privilege escalation within enterprise identity infrastructures.

For European organizations, the impact of CVE-2025-59363 can be significant, especially for those relying on OneLogin for identity and access management (IAM). The exposure of OIDC client secrets can allow attackers with some level of authenticated access to retrieve sensitive credentials, which can then be used to impersonate applications or services, bypass authentication controls, or escalate privileges. This could lead to unauthorized access to critical business applications, data breaches involving personal or sensitive information protected under GDPR, and disruption of secure single sign-on (SSO) workflows. Given the central role of IAM in securing cloud and on-premises resources, exploitation could facilitate broader compromise across enterprise networks. The confidentiality breach could also damage organizational reputation and lead to regulatory penalties. Since the vulnerability requires some level of privilege (PR:L), insider threats or compromised accounts could be leveraged to exploit this flaw, emphasizing the need for strict access controls and monitoring.

To mitigate CVE-2025-59363, European organizations should prioritize upgrading OneLogin to version 2025.3.0 or later where the vulnerability is patched. Until patching is possible, organizations should restrict access to the GET Apps API v2 endpoint to only highly trusted administrators and monitor API usage logs for unusual access patterns or repeated requests to this endpoint. Implementing strict role-based access control (RBAC) to limit who can query application details is critical. Additionally, organizations should rotate OIDC client secrets regularly and immediately after any suspected exposure. Employing network segmentation and zero-trust principles around IAM infrastructure can reduce the risk of lateral movement if credentials are leaked. Monitoring for anomalous authentication or token usage can help detect exploitation attempts. Finally, organizations should review and harden their API security posture, including enforcing least privilege, using strong authentication for API access, and employing API gateways or proxies with enhanced logging and anomaly detection capabilities.