CVE-2025-65944
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-25

Last updated on: 2025-11-25

Assigner: GitHub, Inc.

Description
Sentry-Javascript is an official Sentry SDKs for JavaScript. From version 10.11.0 to before 10.27.0, when a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including the Cookie header, to Sentry. Those headers would be stored within a Sentry organization as part of the associated trace. A person with access to the Sentry organization could then view and use these sensitive values to impersonate or escalate their privileges within the application. This issue has been patched in version 10.27.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-25
Last Modified
2025-11-25
Generated
2026-06-16
AI Q&A
2025-11-25
EPSS Evaluated
2026-06-14
NVD
CVE-2025-65944
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sentry sentry_javascript 10.27.0
sentry sentry_javascript 10.11.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in Sentry-Javascript SDK versions from 10.11.0 to before 10.27.0 when the configuration option sendDefaultPii is set to true. In this case, certain sensitive HTTP headers, including the Cookie header, can be inadvertently sent to Sentry and stored within the Sentry organization as part of the associated trace. This exposure allows anyone with access to the Sentry organization to view and potentially misuse these sensitive values to impersonate users or escalate privileges within the application. The issue was fixed in version 10.27.0.

Impact Analysis

If you use the affected versions of the Sentry-Javascript SDK with sendDefaultPii set to true, sensitive HTTP headers such as cookies may be exposed to anyone with access to your Sentry organization. This can lead to unauthorized access, user impersonation, and privilege escalation within your application, potentially compromising the security and integrity of your system.

Compliance Impact

This vulnerability can lead to the unintended exposure of sensitive personal data (such as cookies) to unauthorized parties, which may violate data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information. Therefore, it can negatively impact compliance with these standards by risking unauthorized data disclosure.

Mitigation Strategies

Upgrade the Sentry-Javascript SDK to version 10.27.0 or later, as this version contains the patch that fixes the vulnerability related to sending sensitive HTTP headers when sendDefaultPii is set to true.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65944. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart