Cybersecurity Vulnerabilities

CVE-2025-65944: Sentry-Javascript Exposes Sensitive Headers – Update Now!

November 25, 2025 - By 

Overview

This blog post details a security vulnerability, identified as CVE-2025-65944, affecting the Sentry-Javascript SDK. This vulnerability could lead to the inadvertent leakage of sensitive HTTP headers, including the Cookie header, to a Sentry organization. If exploited, this could allow unauthorized access and privilege escalation.

Technical Details

CVE-2025-65944 exists in Sentry-Javascript versions 10.11.0 through 10.26.x. When a Node.js application utilizing the Sentry SDK has the sendDefaultPii: true configuration enabled, certain sensitive HTTP headers are unintentionally sent to Sentry. Specifically, the Cookie header, containing authentication tokens and session identifiers, is captured and stored within the associated Sentry organization’s traces. This occurs due to improper filtering of headers when sendDefaultPii is active.

CVSS Analysis

Currently, a CVSS score is not available for CVE-2025-65944. However, given the potential for sensitive data leakage and subsequent unauthorized access, the severity of this vulnerability should be considered high.

Possible Impact

The potential impact of CVE-2025-65944 is significant. An attacker with access to the Sentry organization’s data could potentially view and use the captured Cookie headers to impersonate users or escalate their privileges within the affected application. This could lead to data breaches, unauthorized actions, and significant reputational damage.

Mitigation and Patch Steps

The vulnerability has been patched in Sentry-Javascript version 10.27.0. To mitigate the risk, immediately upgrade your Sentry-Javascript SDK to version 10.27.0 or later.

  1. Upgrade Sentry-Javascript: Update your project’s dependency on @sentry/javascript to version 10.27.0 or higher.
  2. Verify Configuration: If you cannot immediately upgrade, review your Sentry configuration and consider disabling sendDefaultPii: true. Be aware of the implications of disabling this setting regarding PII data capture.
  3. Monitor Sentry Instance: Review your Sentry instance for any unusual activity or unexpected data within traces.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *