Publish GHSA-6465-jgvq-jhgp

advisory-database[bot] · advisory-database[bot] · commit 4635a206a6b0 · 2025-11-24T21:54:42.000Z
diff --git a/advisories/github-reviewed/2025/11/GHSA-6465-jgvq-jhgp/GHSA-6465-jgvq-jhgp.json b/advisories/github-reviewed/2025/11/GHSA-6465-jgvq-jhgp/GHSA-6465-jgvq-jhgp.json
@@ -0,0 +1,282 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6465-jgvq-jhgp",
+  "modified": "2025-11-24T21:53:11Z",
+  "published": "2025-11-24T21:52:45Z",
+  "aliases": [
+    "CVE-2025-65944"
+  ],
+  "summary": "Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`",
+  "details": "### Impact\nWhen a Node.js application using the Sentry SDK has `sendDefaultPii: true` it is possible to inadvertently send certain sensitive HTTP headers, including the `Cookie` header, to Sentry. Those headers would be stored within the Sentry organization as part of the associated trace. A person with access to  the Sentry organization could then view and use these sensitive values to impersonate or escalate their privileges within a user's application. \n\nUsers may be impacted if:\n\n1. The Sentry SDK configuration has `sendDefaultPii` set to `true`\n2. The application uses one of the Node.js Sentry SDKs with version from `10.11.0` to `10.26.0` inclusively:\n- @sentry/astro\n- @sentry/aws-serverless\n- @sentry/bun\n- @sentry/google-cloud-serverless\n- @sentry/nestjs\n- @sentry/nextjs\n- @sentry/node\n- @sentry/node-core\n- @sentry/nuxt\n- @sentry/remix\n- @sentry/solidstart\n- @sentry/sveltekit\n\nUsers can check if their project was affected, by visiting Explore → Traces and searching for “http.request.header.authorization”, “http.request.header.cookie” or similar. Any potentially sensitive values will be specific to the users' applications and configurations.\n\n### Patches\nThe issue has been patched in all Sentry JavaScript SDKs starting from the [10.27.0](https://github.com/getsentry/sentry-javascript/releases/tag/10.27.0) version.\n\n### Workarounds\nSentry strongly encourages customers to upgrade the SDK to the latest available version, [10.27.0](https://github.com/getsentry/sentry-javascript/releases/tag/10.27.0) or later.\nIf it is not possible, consider setting `sendDefaultPii: false` to avoid unintentionally sending sensitive headers. See [here](https://docs.sentry.io/platforms/javascript/guides/node/#step-2-configure) for documentation.\n\n### Resources\n* https://develop.sentry.dev/sdk/expected-features/data-handling/#sensitive-data\n* https://github.com/getsentry/sentry-javascript/releases/tag/10.11.0\n* https://github.com/getsentry/sentry-javascript/pull/17475\n* https://docs.sentry.io/platforms/javascript/guides/node/data-management/data-collected/#cookies",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@sentry/node"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.27.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@sentry/astro"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.27.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@sentry/aws-serverless"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.27.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@sentry/bun"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.27.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@sentry/google-cloud-serverless"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.27.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@sentry/nestjs"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.27.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@sentry/nextjs"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.27.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@sentry/node-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.27.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@sentry/nuxt"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.27.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@sentry/remix"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.27.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@sentry/solidstart"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.27.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@sentry/sveltekit"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.27.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-6465-jgvq-jhgp"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/getsentry/sentry-javascript/pull/17475"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/getsentry/sentry-javascript/pull/18311"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/getsentry/sentry-javascript"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/getsentry/sentry-javascript/releases"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/getsentry/sentry-javascript/releases/tag/10.27.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-201"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-24T21:52:45Z",
+    "nvd_published_at": null
+  }
+}
