GHSA-6465-jgvq-jhgp: Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`

Impact

When a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including the Cookie header, to Sentry. Those headers would be stored within the Sentry organization as part of the associated trace. A person with access to the Sentry organization could then view and use these sensitive values to impersonate or escalate their privileges within a user’s application.

Users may be impacted if:

1. The Sentry SDK configuration has sendDefaultPii set to true
2. The application uses one of the Node.js Sentry SDKs with version from 10.11.0 to 10.26.0 inclusively:

• @sentry/astro
• @sentry/aws-serverless
• @sentry/bun
• @sentry/google-cloud-serverless
• @sentry/nestjs
• @sentry/nextjs
• @sentry/node
• @sentry/node-core
• @sentry/nuxt
• @sentry/remix
• @sentry/solidstart
• @sentry/sveltekit

Users can check if their project was affected, by visiting Explore → Traces and searching for “http.request.header.authorization”, “http.request.header.cookie” or similar. Any potentially sensitive values will be specific to the users’ applications and configurations.

Patches

The issue has been patched in all Sentry JavaScript SDKs starting from the 10.27.0 version.

Workarounds

Sentry strongly encourages customers to upgrade the SDK to the latest available version, 10.27.0 or later. If it is not possible, consider setting sendDefaultPii: false to avoid unintentionally sending sensitive headers. See here for documentation.

Resources

• https://develop.sentry.dev/sdk/expected-features/data-handling/#sensitive-data
• https://github.com/getsentry/sentry-javascript/releases/tag/10.11.0
• https://github.com/getsentry/sentry-javascript/pull/17475
• https://docs.sentry.io/platforms/javascript/guides/node/data-management/data-collected/#cookies