VULSec Labs: exclusively-hosted-service

Violation of Secure Design Principles, Hidden Functionality, Incorrect Provision of Specified Functionality vulnerability in ArcGIS (Authentication) allows Privilege Abuse, Manipulating Hidden Fields, Configuration/Environment Manipulation.

The ArcGIS client_credentials OAuth 2.0 API implementation does not adhere to the RFC/standards; This hidden (known and by-design, but undocumented) functionality enables a requestor (referred to as client in RFC 6749) to request an, undocumented, custom token expiration from ArcGIS (referred to as authorization server in RFC 6749).

Rejected reason: “This CVE ID is Rejected and will not be used.  As the CNA of record ESRI has rejected this CVE and Reserved CVE-2025-4856 to address this issue.”

VULSec Labs: AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:C/RE:X/U:Amber

VULSec Labs: CWE-657

VULSec Labs: CWE-684

VULSec Labs: CWE-912

VULSec Labs: https://developers.arcgis.com/documentation/security-and-authentication/

VULSec Labs: https://www.vulsec.org/advisories