CVE-2025-67745
Unknown Unknown - Not Provided
Sensitive Data Exposure in MyHoard Logs via Encryption Key Leakage

Publication date: 2025-12-18

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
MyHoard is a daemon for creating, managing and restoring MySQL backups. Starting in version 1.0.1 and prior to version 1.3.0, in some cases, myhoard logs the whole backup info, including the encryption key. Version 1.3.0 fixes the issue. As a workaround, direct logs into /dev/null.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67745
EUVD
EUVD-2025-204404
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aiven myhoard From 1.0.1 (inc) to 1.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-402 The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67745 is a vulnerability in the myhoard package (versions prior to 1.3.0) where the software logs the entire backup information, including sensitive encryption keys, in plain text. This means that the encryption keys used to protect backups are exposed in log files, potentially allowing unauthorized parties to access them. The issue is due to improper handling of sensitive data in logs, classified as CWE-402 (Resource Leak). The vulnerability is fixed in version 1.3.0 by masking sensitive fields in logs. [1, 2]

Impact Analysis

This vulnerability can lead to exposure of encryption keys through log files, which compromises the confidentiality of your backups. An attacker with access to these logs could obtain the encryption keys and decrypt backup data, leading to potential data breaches. The impact on confidentiality is high, while integrity and availability impacts are low or none. The attack can be performed remotely with low complexity and low privileges, without user interaction. [1]

Detection Guidance

This vulnerability can be detected by inspecting the myhoard log files for the presence of backup encryption keys in plain text. Since the issue involves logging the entire backup info including sensitive encryption keys, you can search the logs for patterns that match encryption keys or related backup metadata. For example, you can use commands like `grep -r 'encryption_key' /path/to/myhoard/logs` or `grep -r 'basebackup_info' /path/to/myhoard/logs` to find exposed keys in logs. Additionally, monitoring network traffic for unencrypted transmission of backup keys could help, but the primary detection is through log inspection. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading myhoard to version 1.3.0 or later, where the vulnerability is fixed by masking sensitive fields in logs. If upgrading is not immediately possible, a temporary workaround is to redirect the myhoard logs to /dev/null to prevent sensitive data exposure. This prevents the encryption keys from being written to log files. Additionally, reviewing and applying the patch that masks sensitive fields in logs can help mitigate the issue. [1, 2]

Compliance Impact

This vulnerability exposes encryption keys in logs, which can lead to unauthorized access to sensitive backup data. Such exposure of sensitive information can result in non-compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls on the confidentiality and security of personal and protected health information. Therefore, the vulnerability increases the risk of violating these compliance requirements due to improper handling and logging of sensitive encryption keys. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67745. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart