Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-qx7g-fx8q-545g: Para Inserts Sensitive Information into Log File for Facebook authentication

CWE ID: CWE-532 (Insertion of Sensitive Information into Log File) CVSS: 6.2 (Medium) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Component: Facebook Authentication Logging Version: Para v1.50.6 File Path: para-1.50.6/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java Vulnerable Line(s): Line 184 (logger.warn(…) with raw access token)

Technical Details:

The vulnerability is located in FacebookAuthFilter.java, where a failed request to Facebook’s user profile endpoint triggers the following log statement:

logger.warn("Facebook auth request failed: GET " + PROFILE_URL + accessToken, e);`

Here, PROFILE_URL is a constant:

private static final String PROFILE_URL = "https://graph.facebook.com/me?fields=name,email,picture.width(400).type(square).height(400)&access_token=";

This results in the full request URL being logged, including the user’s access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure.

ghsa
Open in Source
#vulnerability#java#auth

CWE ID: CWE-532 (Insertion of Sensitive Information into Log File)
CVSS: 6.2 (Medium)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Component: Facebook Authentication Logging
Version: Para v1.50.6
File Path: para-1.50.6/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java
Vulnerable Line(s): Line 184 (logger.warn(…) with raw access token)

Technical Details:

The vulnerability is located in FacebookAuthFilter.java, where a failed request to Facebook’s user profile endpoint triggers the following log statement:

logger.warn("Facebook auth request failed: GET " + PROFILE_URL + accessToken, e);`

Here, PROFILE_URL is a constant:

private static final String PROFILE_URL = "https://graph.facebook.com/me?fields=name,email,picture.width(400).type(square).height(400)&access_token=";

This results in the full request URL being logged, including the user’s access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure.

References

  • GHSA-qx7g-fx8q-545g
  • https://nvd.nist.gov/vuln/detail/CVE-2025-49009
  • Erudika/para@46a908d

ghsa: Latest News

GHSA-wf8f-6423-gfxg: Jackson-core Vulnerable to Memory Disclosure via Source Snippet in JsonLocation
ghsa