GHSA-qx7g-fx8q-545g

Source

https://github.com/advisories/GHSA-qx7g-fx8q-545g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-qx7g-fx8q-545g/GHSA-qx7g-fx8q-545g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qx7g-fx8q-545g

Aliases

CVE-2025-49009

Published

2025-06-06T15:49:58Z

Modified

2025-06-06T16:00:01.329509Z

Severity

6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Para Inserts Sensitive Information into Log File for Facebook authentication

Details

CWE ID: CWE-532 (Insertion of Sensitive Information into Log File) CVSS: 6.2 (Medium) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Component: Facebook Authentication Logging Version: Para v1.50.6 File Path: para-1.50.6/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java Vulnerable Line(s): Line 184 (logger.warn(...) with raw access token)

Technical Details:

The vulnerability is located in FacebookAuthFilter.java, where a failed request to Facebook’s user profile endpoint triggers the following log statement:

logger.warn("Facebook auth request failed: GET " + PROFILE_URL + accessToken, e);`

Here, PROFILE_URL is a constant:

private static final String PROFILE_URL = "https://graph.facebook.com/me?fields=name,email,picture.width(400).type(square).height(400)&access_token=";

This results in the full request URL being logged, including the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure.

Database specific

{
    "nvd_published_at": "2025-06-05T17:15:29Z",
    "cwe_ids": [
        "CWE-532"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-06T15:49:58Z"
}

References

Affected packages

Maven / com.erudika:para-server

Package

Name: com.erudika:para-server; View open source insights on deps.dev
Purl: pkg:maven/com.erudika/para-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.50.7

Affected versions

1.*

1.13

1.14

1.14.1

1.15

1.16

1.16.1

1.16.2

1.17

1.17.1

1.18.0

1.18.1

1.18.2

1.18.3

1.18.4

1.18.5

1.18.6

1.18.7

1.18.8

1.18.9

1.19.0

1.20.0

1.21.0

1.21.1

1.22.0

1.23.0

1.23.1

1.24.0

1.24.1

1.24.2

1.24.3

1.24.4

1.24.5

1.25.0

1.25.1

1.25.2

1.25.3

1.25.4

1.25.5

1.26.0

1.26.1

1.26.2

1.27.0

1.28.0

1.28.1

1.28.2

1.28.3

1.28.4

1.28.5

1.29.0

1.29.1

1.29.2

1.30.0

1.30.1

1.30.2

1.31.0

1.31.1

1.31.2

1.31.3

1.32.0

1.33.0

1.33.1

1.34.0

1.34.1

1.34.2

1.34.3

1.35.0

1.36.0

1.36.1

1.37.0

1.37.1

1.38.0

1.38.1

1.38.2

1.38.3

1.38.4

1.39.0

1.39.1

1.40.0

1.41.0

1.41.1

1.41.2

1.41.3

1.42.0

1.42.1

1.42.2

1.43.0

1.43.1

1.43.2

1.43.3

1.43.4

1.44.0

1.45.0

1.45.1

1.45.2

1.45.3

1.45.4

1.45.5

1.45.6

1.45.7

1.45.8

1.45.9

1.45.10

1.46.0

1.46.1

1.46.2

1.46.3

1.47.0

1.47.1

1.47.2

1.48.0

1.48.1

1.48.2

1.49.0

1.49.1

1.49.2

1.49.3

1.49.4

1.49.5

1.50.0

1.50.1

1.50.2

1.50.3

1.50.4

1.50.5

1.50.6