CVE-2025-50200
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-19

Last updated on: 2025-08-06

Assigner: GitHub, Inc.

Description
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-19
Last Modified
2025-08-06
Generated
2026-05-07
AI Q&A
2025-06-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-50200
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
broadcom rabbitmq_server to 4.0.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in RabbitMQ versions up to 3.13.7 involves logging HTTP authorization headers in plaintext within error logs. When a request uses Basic Authentication, RabbitMQ logs the entire authorization header, which contains the Base64-encoded username and password. Since Base64 encoding is easily reversible, an attacker with access to these logs can decode the credentials and potentially gain unauthorized access to the system, depending on the privileges of the compromised user. [1]


How can this vulnerability impact me? :

If an attacker gains access to RabbitMQ error logs, they can retrieve Base64-encoded credentials from the authorization headers and decode them to obtain usernames and passwords. This can lead to unauthorized access to the RabbitMQ system, potentially allowing the attacker to control or manipulate the messaging broker, especially if the compromised credentials belong to a user with high privileges. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by examining RabbitMQ error logs for entries that contain HTTP request headers with Basic Authentication information logged in plaintext. Specifically, look for logs that include the 'Authorization' header with Base64-encoded username:password strings. For example, you can search RabbitMQ log files for the keyword 'Authorization' or 'Basic' to find such entries. A command to detect this on a Unix-like system might be: grep -i 'Authorization' /path/to/rabbitmq/logs/*.log. Decoding the Base64 string found in these logs can confirm exposure of credentials. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading RabbitMQ to a patched version, specifically version 3.13.8, 4.0.8, 4.1.0 or later, where this logging issue has been fixed. Additionally, restrict access to RabbitMQ log files to prevent unauthorized users from reading sensitive information. Avoid using Basic Authentication over unsecured channels and monitor logs for any suspicious access. If upgrading immediately is not possible, consider disabling or limiting logging of HTTP request headers temporarily, if feasible. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart