CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-26620: Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens

6.3 CVSS

Description

Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protocol parameters can return access tokens obtained with the wrong scope, resource indicator, or other protocol parameters. Such usage is somewhat atypical, and only a small percentage of users are likely to be affected. Duende.AccessTokenManagement can request access tokens using the client credentials flow in several ways. In basic usage, the client credentials flow is configured once and the parameters do not vary. In more advanced situations, requests with varying protocol parameters may be made by calling specific overloads of these methods: `HttpContext.GetClientAccessTokenAsync()` and `IClientCredentialsTokenManagementService.GetAccessTokenAsync()`. There are overloads of both of these methods that accept a `TokenRequestParameters` object that customizes token request parameters. However, concurrent requests with varying `TokenRequestParameters` will result in the same token for all concurrent calls. Most users can simply update the NuGet package to the latest version. Customizations of the `IClientCredentialsTokenCache` that derive from the default implementation (`DistributedClientCredentialsTokenCache`) will require a small code change, as its constructor was changed to add a ...

Classification

CVE ID: CVE-2025-26620

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Products

Vendor: DuendeSoftware

Product: foss

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 11.84% (scored less or equal to compared to others)

EPSS Date: 2025-03-19 (when was this score calculated)

References

https://github.com/DuendeSoftware/foss/security/advisories/GHSA-qxj7-2x7w-3mpp
https://github.com/DuendeSoftware/foss/commit/a33332ddec0ebf3c048ba85427e3c77d47c68dac

Timeline

2025-02-19 00:31:40 UTC
CVE

Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
2025-02-19 18:15:23 UTC
Github Advisory Database (Nuget)

[Duende.AccessTokenManagement] Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens