CVE-2025-0020 Information

Description

Violation of Secure Design Principles Hidden Functionality Incorrect Provision of Specified Functionality vulnerability in ArcGIS (Authentication) allows Privilege Abuse Manipulating Hidden Fields Configuration/Environment Manipulation.

The ArcGIS client_credentials OAuth 2.0 API implementation does not adhere to the RFC/standards; This hidden (known and by-design but undocumented) functionality enables a requestor (Referred to as client in RFC 6749) to request an undocumented custom token expiration from ArcGIS (Referred to as authorization server in RFC 6749).

Reference

https://developers.arcgis.com/documentation/security-and-authentication/ https://www.vulsec.org/advisories