Security hotfix for Duende.AccessTokenManagement.OpenIdConnect

We recently published Duende.AccessTokenManagement.OpenIdConnect 3.0.1, a security hotfix which addresses CVE-2024-51987, a medium-severity security issue that can cause refreshed access tokens to be cached and used for the wrong user.

We encourage everyone using Duende.AccessTokenManagement.OpenIdConnect 3.0.0 to update to version 3.0.1.

This issue was introduced in version 3.0.0, as part of our efforts to make the library more useful in scenarios where there may not always be incoming HTTP requests. Previously we had resolved certain dependencies for HttpClients on the fly from the HttpContext’s service collection. This made it impossible to use the HttpClient convenience methods in applications that don’t always have an incoming HTTP request, such as a Blazor application using the Server or Auto render mode. When we changed how we resolve those services, we introduced this issue, which causes the HttpClient to hold on to refreshed access tokens across incoming HTTP requests. This means that an application might make API requests with the wrong user’s token after tokens are refreshed.

An attacker with a user in the system could potentially exploit this to cause the application to make API requests as a different user. Somewhat mitigating the severity of this attack is that the attacker will be unable to control which user’s token is used and for how long. We assess this issue as medium severity, with a CVSS v3.1 score of 5.4/10.

This issue was reported to us by Nate Laff. Thank you Nate for your help and for disclosing this issue responsibly. We always encourage bug reports from the community. General issues can be submitted to the public issue tracker, while security issues should be reported privately to security@duendesoftware.com.

Again, we encourage everyone to update to Duende.AccessTokenManagement.OpenIdConnect 3.0.1. See the security advisory for more details, and if you have further questions, please email the Duende Security team at security@duendesoftware.com.