GHSA-6465-JGVQ-JHGP
Vulnerability from github – Published: 2025-11-24 21:52 – Updated: 2025-11-27 07:56
VLAI?
Summary
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`
Details
Impact
In version 10.11.0, a change to how the SDK collects request data in Node.js applications caused certain incoming HTTP headers to be added as trace span attributes. When sendDefaultPii: true was set, a few headers that were previously redacted - including Authorization and Cookie - were unintentionally allowed through.
Sentry’s server-side scrubbing (handled by Sentry's Relay edge proxy) normally serves as a second layer of protection. However, because it relied on the same matching logic as the SDK, it also failed to catch these headers in this case.
Users may be impacted if:
- Their Sentry SDK configuration has
sendDefaultPiiset totrue - Their application uses one of the Node.js Sentry SDKs with version from
10.11.0to10.26.0inclusively: - @sentry/astro
- @sentry/aws-serverless
- @sentry/bun
- @sentry/google-cloud-serverless
- @sentry/nestjs
- @sentry/nextjs
- @sentry/node
- @sentry/node-core
- @sentry/nuxt
- @sentry/remix
- @sentry/solidstart
- @sentry/sveltekit
Users can check if their project was affected, by visiting Explore → Traces and searching for “http.request.header.authorization”, “http.request.header.cookie” or similar. Any potentially sensitive values will be specific to users' applications and configurations.
Patches
The issue has been patched in all Sentry JavaScript SDKs starting from the 10.27.0 version.
Workarounds
Sentry strongly encourage customers to upgrade the SDK to the latest available version, 10.27.0 or later.
If it is not possible, consider setting sendDefaultPii: false to avoid unintentionally sending sensitive headers. See here for documentation.
Resources
- https://develop.sentry.dev/sdk/expected-features/data-handling/#sensitive-data
- https://github.com/getsentry/sentry-javascript/releases/tag/10.11.0
- https://github.com/getsentry/sentry-javascript/pull/17475
- https://docs.sentry.io/platforms/javascript/guides/node/data-management/data-collected/#cookies
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@sentry/node"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.27.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@sentry/astro"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.27.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@sentry/aws-serverless"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.27.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@sentry/bun"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.27.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@sentry/google-cloud-serverless"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.27.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@sentry/nestjs"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.27.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@sentry/nextjs"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.27.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@sentry/node-core"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.27.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@sentry/nuxt"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.27.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@sentry/remix"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.27.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@sentry/solidstart"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.27.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@sentry/sveltekit"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.27.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-65944"
],
"database_specific": {
"cwe_ids": [
"CWE-201"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-24T21:52:45Z",
"nvd_published_at": "2025-11-25T01:15:46Z",
"severity": "MODERATE"
},
"details": "### Impact\nIn version 10.11.0, a change to how the SDK collects request data in Node.js applications caused certain incoming HTTP headers to be added as trace span attributes. When `sendDefaultPii: true` was set, a few headers that were previously redacted - including Authorization and Cookie - were unintentionally allowed through.\n\nSentry\u2019s server-side scrubbing (handled by Sentry\u0027s Relay edge proxy) normally serves as a second layer of protection. However, because it relied on the same matching logic as the SDK, it also failed to catch these headers in this case.\n\nUsers may be impacted if:\n\n1. Their Sentry SDK configuration has `sendDefaultPii` set to `true`\n2. Their application uses one of the Node.js Sentry SDKs with version from `10.11.0` to `10.26.0` inclusively:\n- @sentry/astro\n- @sentry/aws-serverless\n- @sentry/bun\n- @sentry/google-cloud-serverless\n- @sentry/nestjs\n- @sentry/nextjs\n- @sentry/node\n- @sentry/node-core\n- @sentry/nuxt\n- @sentry/remix\n- @sentry/solidstart\n- @sentry/sveltekit\n\nUsers can check if their project was affected, by visiting Explore \u2192 Traces and searching for \u201chttp.request.header.authorization\u201d, \u201chttp.request.header.cookie\u201d or similar. Any potentially sensitive values will be specific to users\u0027 applications and configurations.\n\n### Patches\nThe issue has been patched in all Sentry JavaScript SDKs starting from the [10.27.0](https://github.com/getsentry/sentry-javascript/releases/tag/10.27.0) version.\n\n### Workarounds\nSentry strongly encourage customers to upgrade the SDK to the latest available version, [10.27.0](https://github.com/getsentry/sentry-javascript/releases/tag/10.27.0) or later.\nIf it is not possible, consider setting `sendDefaultPii: false` to avoid unintentionally sending sensitive headers. See [here](https://docs.sentry.io/platforms/javascript/guides/node/#step-2-configure) for documentation.\n\n### Resources\n* https://develop.sentry.dev/sdk/expected-features/data-handling/#sensitive-data\n* https://github.com/getsentry/sentry-javascript/releases/tag/10.11.0\n* https://github.com/getsentry/sentry-javascript/pull/17475\n* https://docs.sentry.io/platforms/javascript/guides/node/data-management/data-collected/#cookies",
"id": "GHSA-6465-jgvq-jhgp",
"modified": "2025-11-27T07:56:25Z",
"published": "2025-11-24T21:52:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-6465-jgvq-jhgp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65944"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/pull/17475"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/pull/18311"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/commit/a820fa2891fdcf985b834a5b557edf351ec54539"
},
{
"type": "PACKAGE",
"url": "https://github.com/getsentry/sentry-javascript"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/releases"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/releases/tag/10.11.0"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/releases/tag/10.27.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Sentry\u0027s sensitive headers are leaked when `sendDefaultPii` is set to `true`"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…