N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-65944

GHSA ID

GHSA-6465-jgvq-jhgp

EPSS Score

CWE

CWE-201

Published

11/24/2025

Updated

11/24/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-65944

CVE-2025-65944: Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`

Impact

When a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including the Cookie header, to Sentry. Those headers would be stored within the Sentry organization as part of the associated trace. A person with access to the Sentry organization could then view and use these sensitive values to impersonate or escalate their privileges within a user's application.

Users may be impacted if:

The Sentry SDK configuration has sendDefaultPii set to true
The application uses one of the Node.js Sentry SDKs with version from 10.11.0 to 10.26.0 inclusively:

@sentry/astro
@sentry/aws-serverless
@sentry/bun
@sentry/google-cloud-serverless
@sentry/nestjs
@sentry/nextjs
@sentry/node
@sentry/node-core
@sentry/nuxt
@sentry/remix
@sentry/solidstart
@sentry/sveltekit

Users can check if their project was affected, by visiting Explore → Traces and searching for “http.request.header.authorization”, “http.request.header.cookie” or similar. Any potentially sensitive values will be specific to the users' applications and configurations.

Patches

The issue has been patched in all Sentry JavaScript SDKs starting from the 10.27.0 version.

Workarounds

Sentry strongly encourages customers to upgrade the SDK to the latest available version, 10.27.0 or later. If it is not possible, consider setting sendDefaultPii: false to avoid unintentionally sending sensitive headers. See here for documentation.

Miggo Vulnerability Database

→

CVE-2025-65944

CVE-2025-65944:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-65944

GHSA ID

GHSA-6465-jgvq-jhgp

EPSS Score

CWE

CWE-201

Published

11/24/2025

Updated

11/24/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@sentry/node	npm	>= 10.11.0, < 10.27.0	10.27.0
@sentry/astro	npm	>= 10.11.0, < 10.27.0	10.27.0
@sentry/aws-serverless	npm	>= 10.11.0, < 10.27.0	10.27.0
@sentry/bun	npm	>= 10.11.0, < 10.27.0	10.27.0
@sentry/google-cloud-serverless	npm	>= 10.11.0, < 10.27.0	10.27.0
@sentry/nestjs	npm	>= 10.11.0, < 10.27.0	10.27.0
@sentry/nextjs	npm	>= 10.11.0, < 10.27.0	10.27.0
@sentry/node-core	npm	>= 10.11.0, < 10.27.0	10.27.0
@sentry/nuxt	npm	>= 10.11.0, < 10.27.0	10.27.0
@sentry/remix	npm	>= 10.11.0, < 10.27.0	10.27.0
@sentry/solidstart	npm	>= 10.11.0, < 10.27.0	10.27.0
@sentry/sveltekit	npm	>= 10.11.0, < 10.27.0	10.27.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the httpHeadersToSpanAttributes function within the @sentry/core package. This function was introduced to convert HTTP request headers to OpenTelemetry span attributes. The initial implementation of this function did not respect the sendDefaultPii configuration option, leading to the unconditional logging of all HTTP headers, including sensitive ones like Cookie and Authorization. The fix, introduced in commit 88c1db5ec04110a4f724f631940eabf661537513, added a check for the sendDefaultPii flag and a list of sensitive header snippets to filter out when sendDefaultPii is false. This prevents the leakage of sensitive information. The vulnerability affects multiple Sentry SDK packages for Node.js frameworks because they all use this core function to process request headers.

Vulnerable functions

httpHeadersToSpanAttributes

packages/core/src/utils/request.ts

This function is responsible for converting HTTP request headers into span attributes. The vulnerability lies in the fact that it did not filter out sensitive headers when `sendDefaultPii` was set to `false`. An attacker with access to the Sentry organization could view these sensitive headers and potentially use them to impersonate users or escalate privileges.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-65944: Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`

Impact

Patches

Workarounds

CVE-2025-65944:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-65944: Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`

Impact

Patches

Workarounds

Resources

Technical Details

N/A

N/A

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-65944: Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`

Impact

Patches

Workarounds

CVE-2025-65944:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-65944: Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`

Impact

Patches

Workarounds

Resources

Technical Details

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI