CVE-2025-32016

Name of the Vulnerable Software and Affected Versions: Microsoft Identity Web versions prior to 3.8.2 Microsoft Identity Web versions prior to 3.8.2 is equivalent to Microsoft.Identity.Abstractions versions prior to 9.0.0, however the correct representation is: Microsoft Identity Web versions prior to 3.8.2 Microsoft.Identity.Abstractions versions prior to 9.0.0

Description: This issue affects confidential client applications, including daemons, web apps, and web APIs, and may expose sensitive information such as client secrets or certificate details in service logs under specific circumstances. The exposure can occur when service logs are generated at the information level or when credential descriptions contain local file paths with passwords, Base64 encoded values, or client secrets. Additionally, logs of services using Base64 encoded certificates or certificate paths with password credential descriptions are also affected if the certificates are invalid or expired.

Recommendations: Update to Microsoft.Identity.Web 3.8.2 or Microsoft.Identity.Abstractions 9.0.0 to resolve the issue.