-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @perfood/couch-auth | npm | <= 0.21.2 |
Miggo AIRoot Cause AnalysisThe vulnerability, CVE-2025-60794, in @perfood/couch-auth version 0.21.2 and older, lies in the improper handling of sensitive session data in memory. The analysis of the patch between versions 0.21.2 and 0.22.0 reveals that the User.validateSession function and its helper Session.confirmToken were responsible for this flaw. The original implementation would pass around a session object containing password hashes and salts. While it attempted to remove these properties using the delete operator before returning the session object to the caller, this operation does not securely wipe the data from memory. This creates a risk of sensitive information leakage through memory dumps or other debugging techniques.
The patch addresses this by refactoring the session validation logic. The Session.confirmToken function was removed entirely, and a new SessionHashing.verifySessionPassword function was introduced. This new function returns a simple boolean indicating a successful validation rather than the session object itself. Consequently, User.validateSession was updated to construct a new, clean object containing only essential, non-sensitive session information upon successful validation. This ensures that the object containing the password hash and salt is no longer returned and can be safely garbage-collected, mitigating the risk of memory exposure.
User.validateSessionsrc/user.ts
Session.confirmTokensrc/session.ts
Ongoing coverage of React2Shell