CVE-2025-67745
Sensitive Data Exposure in MyHoard Logs via Encryption Key Leakage
Publication date: 2025-12-18
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aiven | myhoard | From 1.0.1 (inc) to 1.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-402 | The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67745 is a vulnerability in the myhoard package (versions prior to 1.3.0) where the software logs the entire backup information, including sensitive encryption keys, in plain text. This means that the encryption keys used to protect backups are exposed in log files, potentially allowing unauthorized parties to access them. The issue is due to improper handling of sensitive data in logs, classified as CWE-402 (Resource Leak). The vulnerability is fixed in version 1.3.0 by masking sensitive fields in logs. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to exposure of encryption keys through log files, which compromises the confidentiality of your backups. An attacker with access to these logs could obtain the encryption keys and decrypt backup data, leading to potential data breaches. The impact on confidentiality is high, while integrity and availability impacts are low or none. The attack can be performed remotely with low complexity and low privileges, without user interaction. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the myhoard log files for the presence of backup encryption keys in plain text. Since the issue involves logging the entire backup info including sensitive encryption keys, you can search the logs for patterns that match encryption keys or related backup metadata. For example, you can use commands like `grep -r 'encryption_key' /path/to/myhoard/logs` or `grep -r 'basebackup_info' /path/to/myhoard/logs` to find exposed keys in logs. Additionally, monitoring network traffic for unencrypted transmission of backup keys could help, but the primary detection is through log inspection. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading myhoard to version 1.3.0 or later, where the vulnerability is fixed by masking sensitive fields in logs. If upgrading is not immediately possible, a temporary workaround is to redirect the myhoard logs to /dev/null to prevent sensitive data exposure. This prevents the encryption keys from being written to log files. Additionally, reviewing and applying the patch that masks sensitive fields in logs can help mitigate the issue. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes encryption keys in logs, which can lead to unauthorized access to sensitive backup data. Such exposure of sensitive information can result in non-compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls on the confidentiality and security of personal and protected health information. Therefore, the vulnerability increases the risk of violating these compliance requirements due to improper handling and logging of sensitive encryption keys. [1]