Update dependency Microsoft.Identity.Web to 3.8.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
Microsoft.Identity.Web	3.3.1 → 3.8.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Microsoft Identity Web Exposes Client Secrets and Certificate Information in Service Logs

CVE-2025-32016 / GHSA-rpq8-q44m-2rpg

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

Description: This vulnerability affects confidential client applications, including daemons, web apps, and web APIs. Under specific circumstances, sensitive information such as client secrets or certificate details may be exposed in the service logs of these applications. Service logs are intended to be handled securely.

Impact: The vulnerability impacts service logs that meet the following criteria:

• Logging Level: Logs are generated at the information level.
• Credential Descriptions: containing:
  • Local file paths with passwords.
  • Base64 encoded values.
  • Client secret.

Additionally, logs of services using Base64 encoded certificates or certificate paths with password credential descriptions are also affected if the certificates are invalid or expired, regardless of the log level. Note that these credentials are not usable due to their invalid or expired status.

If your service logs are handled securely, you are not impacted.

Otherwise, the following table shows when you can be impacted

	Log Level Information for Microsoft.Identity.Web	Invalid Certificate
One of the ClientCredentials credential description has a CredentialSource = Base64Encoded or (CredentialSource = Path)	Impacted	Impacted
One of the ClientCredentials credential description is a Client secret (CredentialSource = ClientSecret)	Impacted	Not impacted
Other credential descriptions	Not Impacted	Not Impacted

Patches

Has the problem been patched? What versions should users upgrade to?
To mitigate this vulnerability, update to Microsoft.Identity.Web 3.8.2 or Microsoft.Identity.Abstractions 9.0.0.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?
You can work around the issue in the following ways:

• Ensure that service logs are handled securely and access to logs is restricted

• Don’t use LogLevel = Information for the Microsoft.Identity.Web namespace

Recommendation for production environment

Avoid using ClientCredentials with CredentialDescriptions which CredentialSource is ClientSecret, or Base64Encoded, or Path. Rather use certificate from KeyVault or a certificate store, or Federation identity credential with Managed identity.

References

Are there any links users can visit to find out more?

Severity

• CVSS Score: 4.7 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/AzureAD/microsoft-identity-web/security/advisories/GHSA-rpq8-q44m-2rpg
• https://nvd.nist.gov/vuln/detail/CVE-2025-32016
• https://github.com/advisories/GHSA-rpq8-q44m-2rpg

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

AzureAD/microsoft-identity-web (Microsoft.Identity.Web)

v3.8.2

Compare Source

========

• Updated to Microsoft.Identity.Abstractions 9.0.0

New feature

• An exception is now thrown if MSAL TokenCacheNotificationArgs indicates that distributed cache is configured when it should not have been. See #​3304.
• Added support for federated identity credentials with AT_POP. See #​3299.

v3.8.1

Compare Source

========

New features

• Updated to Microsoft.IdentityModel.* 8.7.0

Bug fixes

• Pins Microsoft.Extensions.Http dependency version to 3.1.3 for .NET Framework and .NET Standard and uses inbox version for .NET Core. See #​3145.

v3.8.0

Compare Source

========

New feature

• Updated to Microsoft.IdentityModel.* 8.6.1
• Updated to MSAL.NET 4.69.1
• Updated the Json Schema to include extensibility for signed assertion providers. See #​3235
• Added support for Federation Identity Credential on any OIDC Idp (FIC+OIDC credential provider). See #​3255
• Support for acquiring token for Federation Managed Identity (FMI). Supports the FmiPath property of AcquireTokenOptions. See #​3247
• Downstream APIs now support Authorization headers with a custom SAML bearer syntax. See #​3273

Bug fixes

• TokenAcquirerFactory is now thread safe. See #​3274
• Fix a bug in the parsing of the token in the authority. See #​3261

Fundamentals

• Removed old Blazorwasm sample, wasm-tools and added new blazor web API: #​3259, #​3257, #​3254
• Modified the build so that, in CI/CD internal builds, the NuGet.org NuGet source is replaced by a managed Nuget source. More verbose information added. See #​3263
• Fixed CS8602 Warnings in Weather.razor (BlazorApp) – Handle Nullable forecasts and user.Identity. See #​3266,

New Contributors

• @​sthanu98 made their first contribution in #​3273. Thank you!

v3.7.1

Compare Source

========

• Updated to Microsoft.IdentityModel.* 8.5.0

v3.7.0

Compare Source

========

• Updated to Microsoft.Identity.Abstractions 8.1.0
• Updated to Microsoft.IdentityModel.* 8.4.0

New Feature

• IdentityWeb now provides extensibility to DefaultCredentialsLoader so that partner teams, or an SDK on top of IdWeb, can bring their own credential providers. See #​3220 for details.

Bug fixes

• The merged options are now being passed to MSAL for the CCA ROPC scenario. See #​3207 for details.

v3.6.2

Compare Source

========

• Updated to Microsoft.Identity.Abstractions 8.0.0

Fundamentals

• Clean-up the tests that were using properties removed in Abstractions 8.0.0. See issue #​3212 for details.

v3.6.1

Compare Source

========

• Updated to Microsoft.Identity.Abstractions 7.2.1

v3.6.0

Compare Source

========

• Updated to Microsoft.IdentityModel.* 8.3.1
• Updated to MSAL.NET 4.67.2

Bug fixes

• Checks that B2C tokens don't contain the claims used by Identity Web to represent the home tenant and object ID (obtained from the UserInfo endpoint). See #​3131
• Remove explicit locking in OpenIdConnectCachingSecurityTokenProvider. See Issue #​3078

Fundamentals

• Fix Null Reference Exception in OwinTokenAcquirerFactory + other OWIN cleanup. See #​3183
• Re-add code coverage comments & scope to src files. See #​3177

v3.5.0

Compare Source

========

• Updated to Microsoft.IdentityModel.* 8.3.0

Bug fixes

• Ensure Singleton registration for TokenAcquisition Services when TokenAcquirerFactory is null. See #​3155
• Dont modify the merged options when building the confidential client. See #​3137

Fundamentals

• Install all .NET versions in pipeline, including .NET 9. See #​3152
• Upgrade to C# 13. See #​3138
• Specify sdk version in global.json. See #​3156
• Disable Coverage PR comments. See in #​3159

v3.4.0

Compare Source

========

• Updated to Microsoft.IdentityModel.* 8.2.1
• Updated to Microsoft.Identity.Abstractions 7.2.0

New features

• Add ROPC flow support for confidential client applications. See 3091, 3129, 3139.
• Allow multi-tenant applications to specify the AppHomeTenantId to be used for client credentials. See 3121, 3132.
• Update to use .NET 9 GA. See 3127.

---

Configuration

📅 Schedule: (in timezone Europe/London)

• Branch creation
  • ""
• Automerge
  • "after 10am every weekday,before 4pm every weekday"

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.