Time-of-check Time-of-use (TOCTOU) Race Condition in duende.accesstokenmanagement | CVE-2025-26620

Q: How to fix?

Upgrade Duende.AccessTokenManagement to version 3.2.0 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-DOTNET-DUENDEACCESSTOKENMANAGEMENT-8732920
published19 Feb 2025
disclosed18 Feb 2025
creditMichael Dimoudis

Report a new vulnerability Found a mistake?

Introduced: 18 Feb 2025

NewCVE-2025-26620 (opens in a new tab) CWE-367 (opens in a new tab)

How to fix?

Upgrade Duende.AccessTokenManagement to version 3.2.0 or higher.

Overview

Duende.AccessTokenManagement is a library that manages OAuth access tokens in .NET workers and ASP.NET Core worker services

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition when handling concurrent ClientCredentialsToken requests. The HttpContext.GetClientAccessTokenAsync() and IClientCredentialsTokenManagementService.GetAccessTokenAsync() functions may return access tokens with incorrect scope, resource indicator, or other protocol parameters. An attacker can exploit this to obtain the values intended for a different request sent at the same time. This is only exploitable if custom TokenRequestParameters are allowed, overriding one of the above functions.

References

GitHub Commit

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
Low
Integrity (SI)
Low
Availability (SA)
None

Time-of-check Time-of-use (TOCTOU) Race Condition Affecting duende.accesstokenmanagement package, versions [,3.2.0)

Severity