Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 8c030d5aa364 · 2025-11-27T07:58:54.000Z
GHSA-crcq-738g-pqvc GHSA-6465-jgvq-jhgp
diff --git a/advisories/github-reviewed/2025/08/GHSA-crcq-738g-pqvc/GHSA-crcq-738g-pqvc.json b/advisories/github-reviewed/2025/08/GHSA-crcq-738g-pqvc/GHSA-crcq-738g-pqvc.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-crcq-738g-pqvc",
-  "modified": "2025-08-26T17:12:20Z",
+  "modified": "2025-11-27T07:57:45Z",
   "published": "2025-08-25T20:42:45Z",
   "aliases": [
     "CVE-2025-57811"
   ],
   "summary": "Craft CMS Potential Remote Code Execution via Twig SSTI",
-  "details": "You must have administrator access, and `ALLOW_ADMIN_CHANGES` must be enabled for this to work.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nNote: This is a follow-up to [GHSA-f3cw-hg6r-chfv](https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv)\n\nUsers should update to the patched versions (4.16.6 and 5.8.7) to mitigate the issue.\n\nReferences: https://github.com/craftcms/cms/pull/17612",
+  "details": "Note that users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nNote: This is a follow-up to [GHSA-f3cw-hg6r-chfv](https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv)\n\nUsers should update to the patched versions (4.16.6 and 5.8.7) to mitigate the issue.\n\nResources: https://github.com/craftcms/cms/pull/17612",
   "severity": [
     {
       "type": "CVSS_V4",
diff --git a/advisories/github-reviewed/2025/11/GHSA-6465-jgvq-jhgp/GHSA-6465-jgvq-jhgp.json b/advisories/github-reviewed/2025/11/GHSA-6465-jgvq-jhgp/GHSA-6465-jgvq-jhgp.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6465-jgvq-jhgp",
-  "modified": "2025-11-24T21:53:11Z",
+  "modified": "2025-11-27T07:56:25Z",
   "published": "2025-11-24T21:52:45Z",
   "aliases": [
     "CVE-2025-65944"
   ],
   "summary": "Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`",
-  "details": "### Impact\nWhen a Node.js application using the Sentry SDK has `sendDefaultPii: true` it is possible to inadvertently send certain sensitive HTTP headers, including the `Cookie` header, to Sentry. Those headers would be stored within the Sentry organization as part of the associated trace. A person with access to  the Sentry organization could then view and use these sensitive values to impersonate or escalate their privileges within a user's application. \n\nUsers may be impacted if:\n\n1. The Sentry SDK configuration has `sendDefaultPii` set to `true`\n2. The application uses one of the Node.js Sentry SDKs with version from `10.11.0` to `10.26.0` inclusively:\n- @sentry/astro\n- @sentry/aws-serverless\n- @sentry/bun\n- @sentry/google-cloud-serverless\n- @sentry/nestjs\n- @sentry/nextjs\n- @sentry/node\n- @sentry/node-core\n- @sentry/nuxt\n- @sentry/remix\n- @sentry/solidstart\n- @sentry/sveltekit\n\nUsers can check if their project was affected, by visiting Explore → Traces and searching for “http.request.header.authorization”, “http.request.header.cookie” or similar. Any potentially sensitive values will be specific to the users' applications and configurations.\n\n### Patches\nThe issue has been patched in all Sentry JavaScript SDKs starting from the [10.27.0](https://github.com/getsentry/sentry-javascript/releases/tag/10.27.0) version.\n\n### Workarounds\nSentry strongly encourages customers to upgrade the SDK to the latest available version, [10.27.0](https://github.com/getsentry/sentry-javascript/releases/tag/10.27.0) or later.\nIf it is not possible, consider setting `sendDefaultPii: false` to avoid unintentionally sending sensitive headers. See [here](https://docs.sentry.io/platforms/javascript/guides/node/#step-2-configure) for documentation.\n\n### Resources\n* https://develop.sentry.dev/sdk/expected-features/data-handling/#sensitive-data\n* https://github.com/getsentry/sentry-javascript/releases/tag/10.11.0\n* https://github.com/getsentry/sentry-javascript/pull/17475\n* https://docs.sentry.io/platforms/javascript/guides/node/data-management/data-collected/#cookies",
+  "details": "### Impact\nIn version 10.11.0, a change to how the SDK collects request data in Node.js applications caused certain incoming HTTP headers to be added as trace span attributes. When `sendDefaultPii: true` was set, a few headers that were previously redacted - including Authorization and Cookie - were unintentionally allowed through.\n\nSentry’s server-side scrubbing (handled by Sentry's Relay edge proxy) normally serves as a second layer of protection. However, because it relied on the same matching logic as the SDK, it also failed to catch these headers in this case.\n\nUsers may be impacted if:\n\n1. Their Sentry SDK configuration has `sendDefaultPii` set to `true`\n2. Their application uses one of the Node.js Sentry SDKs with version from `10.11.0` to `10.26.0` inclusively:\n- @sentry/astro\n- @sentry/aws-serverless\n- @sentry/bun\n- @sentry/google-cloud-serverless\n- @sentry/nestjs\n- @sentry/nextjs\n- @sentry/node\n- @sentry/node-core\n- @sentry/nuxt\n- @sentry/remix\n- @sentry/solidstart\n- @sentry/sveltekit\n\nUsers can check if their project was affected, by visiting Explore → Traces and searching for “http.request.header.authorization”, “http.request.header.cookie” or similar. Any potentially sensitive values will be specific to users' applications and configurations.\n\n### Patches\nThe issue has been patched in all Sentry JavaScript SDKs starting from the [10.27.0](https://github.com/getsentry/sentry-javascript/releases/tag/10.27.0) version.\n\n### Workarounds\nSentry strongly encourage customers to upgrade the SDK to the latest available version, [10.27.0](https://github.com/getsentry/sentry-javascript/releases/tag/10.27.0) or later.\nIf it is not possible, consider setting `sendDefaultPii: false` to avoid unintentionally sending sensitive headers. See [here](https://docs.sentry.io/platforms/javascript/guides/node/#step-2-configure) for documentation.\n\n### Resources\n* https://develop.sentry.dev/sdk/expected-features/data-handling/#sensitive-data\n* https://github.com/getsentry/sentry-javascript/releases/tag/10.11.0\n* https://github.com/getsentry/sentry-javascript/pull/17475\n* https://docs.sentry.io/platforms/javascript/guides/node/data-management/data-collected/#cookies",
   "severity": [
     {
       "type": "CVSS_V4",
@@ -249,6 +249,10 @@
       "type": "WEB",
       "url": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-6465-jgvq-jhgp"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65944"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/getsentry/sentry-javascript/pull/17475"
@@ -257,6 +261,10 @@
       "type": "WEB",
       "url": "https://github.com/getsentry/sentry-javascript/pull/18311"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/getsentry/sentry-javascript/commit/a820fa2891fdcf985b834a5b557edf351ec54539"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/getsentry/sentry-javascript"
@@ -265,6 +273,10 @@
       "type": "WEB",
       "url": "https://github.com/getsentry/sentry-javascript/releases"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/getsentry/sentry-javascript/releases/tag/10.11.0"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/getsentry/sentry-javascript/releases/tag/10.27.0"
@@ -277,6 +289,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2025-11-24T21:52:45Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2025-11-25T01:15:46Z"
   }
 }
