CVE-2025-49009
📋 TL;DR
This vulnerability exposes Facebook user access tokens in plain text within application logs when Facebook authentication requests fail in Para versions before 1.50.8. Any Para server using Facebook authentication with logging enabled is affected. The exposed tokens could allow unauthorized access to Facebook user accounts and data.
💻 Affected Systems
- Para (Erudika)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to log files containing Facebook access tokens, then use those tokens to impersonate users, access private Facebook data, or perform unauthorized actions on Facebook-connected applications.
Likely Case
Internal personnel or log monitoring systems inadvertently expose tokens, leading to potential account compromise if logs are not properly secured or if token reuse occurs.
If Mitigated
With proper log access controls and monitoring, token exposure is limited to authorized personnel only, reducing but not eliminating the risk of misuse.
🎯 Exploit Status
Exploitation requires access to application logs, which typically requires some level of system access or log aggregation system access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.50.8
Vendor Advisory: https://github.com/Erudika/para/security/advisories/GHSA-qx7g-fx8q-545g
Restart Required: Yes
Instructions:
1. Update Para to version 1.50.8 or later. 2. Restart the Para server. 3. Verify the fix by checking that access tokens are no longer logged in plain text during failed Facebook authentication requests.
🔧 Temporary Workarounds
Disable Facebook authentication logging
allConfigure logging to exclude WARN-level messages from FacebookAuthFilter or disable Facebook authentication entirely if not needed.
Modify log4j.properties or equivalent: log4j.logger.com.erudika.para.security.FacebookAuthFilter=ERROR
Restrict log access
linuxImplement strict access controls on log files and log aggregation systems to prevent unauthorized access.
chmod 600 para.log
setfacl -m u:para:r para.log
🧯 If You Can't Patch
- Implement strict access controls on all log storage and aggregation systems
- Regularly audit and monitor log access patterns for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if Para version is below 1.50.8 and if Facebook authentication is configured. Examine logs for WARN messages containing 'FacebookAuthFilter' and access token strings.Check Version:
Check Para configuration file or run: java -jar para.jar --versionVerify Fix Applied:
After updating to 1.50.8+, trigger a failed Facebook authentication request and verify that access tokens are no longer visible in WARN-level logs.📡 Detection & Monitoring
Log Indicators:
- WARN-level log entries containing 'FacebookAuthFilter' followed by URL parameters with 'access_token='
Network Indicators:
- Increased failed authentication attempts to Facebook endpoints
SIEM Query:
source="para.log" AND "FacebookAuthFilter" AND "access_token=" AND level="WARN"