CVE-2025-65944 — Sensitive Info Insertion into Sent Data in Astro

CWE-201 — Sensitive Info Insertion into Sent Data3 documents3 sources

Severity

5.1MEDIUMNVD

EPSS

0.1%

top 77.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sentry Astro Sentry Aws-serverless Sentry BUN +10 more

Timeline

Latest updateNov 24

PublishedNov 25

Description

Sentry-Javascript is an official Sentry SDKs for JavaScript. From version 10.11.0 to before 10.27.0, when a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including the Cookie header, to Sentry. Those headers would be stored within a Sentry organization as part of the associated trace. A person with access to the Sentry organization could then view and use these sensitive values to impersonate or escalate the…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L

Affected Packages13 packages

▶CVEListV5getsentry/sentry-javascript>= 10.11.0, < 10.27.0

▶npmsentry/node10.11.0 — 10.27.0

▶npmsentry/node-core10.11.0 — 10.27.0

▶npmsentry/bun10.11.0 — 10.27.0

▶npmsentry/nuxt10.11.0 — 10.27.0

🔴Vulnerability Details

GHSA

Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`↗2025-11-24

▶

OSV

Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`↗2025-11-24

▶