CVE-2024-49755

Name of the Vulnerable Software and Affected Versions: Duende IdentityServer versions 7.0.0 through 7.0.7

Description: The local API authentication handler in Duende IdentityServer performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local API endpoints even without possessing the private key for signing proof tokens. The issue only impacts custom endpoints within an IdentityServer implementation that have explicitly used the LocalApiAuthenticationHandler for authentication.

Recommendations: For Duende IdentityServer versions 7.0.0 through 7.0.7, update to version 7.0.8 to resolve the issue. As a temporary workaround, consider disabling the use of DPoP for local APIs by configuring the TokenMode option to LocalApiTokenMode.BearerOnly, until a patch is applied. Restrict access to custom endpoints that use the LocalApiAuthenticationHandler to minimize the risk of exploitation.