CVE-2025-65944

MEDIUM

Sentry-Javascript <10.27.0 - Info Disclosure

Title source: llm

Description

Sentry-Javascript is an official Sentry SDKs for JavaScript. From version 10.11.0 to before 10.27.0, when a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including the Cookie header, to Sentry. Those headers would be stored within a Sentry organization as part of the associated trace. A person with access to the Sentry organization could then view and use these sensitive values to impersonate or escalate their privileges within the application. This issue has been patched in version 10.27.0.

References (4)

[Vendor Advisory] https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-6465-jgvq-jhgp

[Issue Tracking] https://github.com/getsentry/sentry-javascript/pull/17475

[Patch] https://github.com/getsentry/sentry-javascript/commit/a820fa2891fdcf985b834a5b557edf351ec54539

View Patch ZIP pw:eip

[Release Notes] https://github.com/getsentry/sentry-javascript/releases/tag/10.11.0

Scores

CVSS v4 5.1

EPSS 0.0005

EPSS Percentile 16.5%

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-201

Status published

Products (13)

getsentry/sentry-javascript >= 10.11.0, < 10.27.0

sentry/astro 10.11.0 - 10.27.0npm

sentry/aws-serverless 10.11.0 - 10.27.0npm

sentry/bun 10.11.0 - 10.27.0npm

sentry/google-cloud-serverless 10.11.0 - 10.27.0npm

sentry/nestjs 10.11.0 - 10.27.0npm

sentry/nextjs 10.11.0 - 10.27.0npm

sentry/node 10.11.0 - 10.27.0npm

sentry/node-core 10.11.0 - 10.27.0npm

sentry/nuxt 10.11.0 - 10.27.0npm

... and 3 more

Published Nov 25, 2025

Tracked Since Feb 18, 2026