Athena M2M OAuth2 Client Secret Exposed in Next.js Logs — Critical P0 Vulnerability

A critical security vulnerability has been identified within the Athena platform's machine-to-machine OAuth2 client registration system. The flaw exposes plaintext client secrets in server logs, creating a high-risk data leak. The issue is classified as Priority P0 (Critical) and maps directly to the OWASP A02:2021 category for Cryptographic Failures.

The vulnerability resides in two specific API endpoints: `POST /api/clients/m2m` and `POST /api/clients/m2m/:id/rotate-secret`. These endpoints return the plaintext `client_secret` in their HTTP response bodies. This sensitive data is at risk of being captured and written to disk in plaintext by any component in the Next.js logging stack, including custom middleware, request loggers, or integrated error-tracking services like Sentry. This exposure is the application-layer counterpart to a previously addressed infrastructure-layer issue involving Caddy log sanitization, which was verified separately by the Platform team.

This finding triggers an immediate security audit requirement. The CIAM Security Expert has mandated a full review of all Next.js middleware, logging configurations, and any serialization points to ensure the `client_secret` field is properly sanitized before any logging occurs. The failure to remediate this flaw could lead to the compromise of machine-to-machine authentication credentials, posing a severe risk to system integrity and data security.