CVE-2025-26620 - Duende.AccessTokenManagement Race Condition Impacts Select Users

Summary: Duende.AccessTokenManagement, a set of .NET libraries that manage OAuth and OpenId Connect access tokens, has a race condition in client credentials flow leading to potential security issues. The vulnerability can return access tokens obtained with incorrect parameters. It affects a minor percentage of users and can be fixed by simply updating the NuGet package to the latest version. Also, customizations of the IClientCredentialsTokenCache deriving from the default implementation need a small code change.

Background

Duende.AccessTokenManagement is a popular set of .NET libraries that handle the lifecycle of OAuth and OpenId Connect access tokens. A race condition vulnerability has been found when requesting access tokens using the client credentials flow, potentially impacting a small portion of the users.

The Vulnerability (CVE-2025-26620)

The race condition vulnerability can occur when there are concurrent requests to obtain access tokens using different protocol parameters. As a result, access tokens may be returned with wrong scope, resource indicator, or other protocol parameters.

IClientCredentialsTokenManagementService.GetAccessTokenAsync()

Below is an example of how the HttpContext.GetClientAccessTokenAsync() method is called with a TokenRequestParameters object:

TokenRequestParameters param = new TokenRequestParameters
{
    Scope = "custom_scope",
    Resource = "custom_resource"
};
var token = await HttpContext.GetClientAccessTokenAsync(param);

When making concurrent requests using different TokenRequestParameters, the access token returned might not match the intended parameters.

Remediation

For the majority of users, updating the Duende.AccessTokenManagement NuGet package to the latest version will suffice.

However, for those who have customizations of the IClientCredentialsTokenCache deriving from the default implementation (DistributedClientCredentialsTokenCache), a code change must be made to inject the ITokenRequestSynchronization service into the derived class and passed to the base constructor.

Here's an example of the required change

public class CustomDistributedClientCredentialsTokenCache : DistributedClientCredentialsTokenCache
{
    public CustomDistributedClientCredentialsTokenCache(IDistributedCache cache, IOptions<AccessTokenManagementOptions> options, ISystemClock clock, IClientAccessTokenParametersParser parser, ITokenRequestSynchronization synchronization)
        : base(cache, options, clock, parser, synchronization)
    {
    }
}

Impact Assessment

This vulnerability will mainly affect advanced users who use the mentioned methods with customized token request parameters. The impact will depend on the application logic, security architecture, and resource servers' authorization policies.

As not many users make concurrent requests with differing request parameters, only a small percentage will be affected. However, it is still highly advised to update the Duende.AccessTokenManagement NuGet package to the latest version to safeguard your implementation from any potential security issues.

Timeline

Published on: 02/18/2025 18:15:36 UTC