CVE-2025-52924

Vulnerability

CVE-2025-52924 is a medium-severity vulnerability in One Identity OneLogin versions prior to 2025.2.0. The root cause is that the application sets the SQL connection's "application name" based on the value of an untrusted HTTP request header, specifically the X-RequestId header. This allows an attacker to control a field that is passed directly to the database connection without sufficient sanitization or validation. [1]

Exploitation

An attacker can exploit this by sending a crafted HTTP request with a malicious X-RequestId header value. No authentication is required to submit the request, as the header is processed before authentication checks. The attack is carried out over the network, requiring only the ability to send HTTP requests to the OneLogin service. The untrusted value is then used to set the application name in the SQL connection string. [1]

Impact

Successful exploitation allows an attacker to arbitrarily set the SQL connection's application name. While this does not directly allow SQL injection or data exfiltration, it can lead to misattribution of database activity in logs and monitoring systems, potentially obscuring malicious actions. The severity is rated medium (CVSS 4.0) because the impact is limited to manipulation of the connection metadata rather than direct data compromise. [1]

Mitigation

The vulnerability is fixed in One Identity OneLogin version 2025.2.0 and later. Users are advised to upgrade to the latest version. No workarounds are documented, but restricting network access to the OneLogin service and monitoring for unusual X-RequestId header values may reduce risk. [1]