CVE-2025-65944
📋 TL;DR
Sentry-Javascript SDK versions 10.11.0 to 10.27.0 inadvertently send sensitive HTTP headers like Cookie to Sentry when sendDefaultPii is enabled. This allows anyone with access to the Sentry organization to view these headers and potentially impersonate users or escalate privileges. Affects Node.js applications using vulnerable Sentry SDK versions with sendDefaultPii: true configuration.
💻 Affected Systems
- Sentry-Javascript SDK
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers with Sentry organization access steal session cookies, impersonate users, escalate privileges to admin levels, and compromise the entire application.
Likely Case
Internal users or compromised Sentry accounts access sensitive headers, leading to session hijacking and unauthorized access to user accounts.
If Mitigated
Limited exposure with proper access controls, but sensitive data remains stored in Sentry traces accessible to authorized Sentry users.
🎯 Exploit Status
Exploitation requires access to Sentry organization where traces are stored; no remote code execution or authentication bypass needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.27.0
Vendor Advisory: https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-6465-jgvq-jhgp
Restart Required: Yes
Instructions:
1. Update Sentry-Javascript SDK to version 10.27.0 or later. 2. Run: npm update @sentry/node (or relevant package). 3. Restart your Node.js application.
🔧 Temporary Workarounds
Disable sendDefaultPii
allSet sendDefaultPii: false in Sentry initialization to prevent sensitive header transmission.
In Sentry.init({ sendDefaultPii: false, ... })
Filter sensitive headers
allManually filter out Cookie and other sensitive headers before they reach Sentry SDK.
Implement custom beforeSend or beforeBreadcrumb hooks to remove sensitive data
🧯 If You Can't Patch
- Disable sendDefaultPii configuration immediately.
- Restrict Sentry organization access to minimal trusted personnel only.
🔍 How to Verify
Check if Vulnerable:
Check package.json for @sentry/node version between 10.11.0 and 10.27.0, and verify sendDefaultPii: true in Sentry configuration.Check Version:
npm list @sentry/nodeVerify Fix Applied:
Confirm @sentry/node version is 10.27.0 or higher in package.json and check Sentry traces no longer contain Cookie headers.📡 Detection & Monitoring
Log Indicators:
- Sentry traces containing Cookie or Authorization headers in stored events
Network Indicators:
- Outbound traffic to Sentry containing sensitive HTTP headers when sendDefaultPii is enabled
SIEM Query:
source="sentry" AND (header="Cookie" OR header="Authorization")🔗 References
- https://github.com/getsentry/sentry-javascript/commit/a820fa2891fdcf985b834a5b557edf351ec54539
- https://github.com/getsentry/sentry-javascript/pull/17475
- https://github.com/getsentry/sentry-javascript/releases/tag/10.11.0
- https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-6465-jgvq-jhgp
