Skip to main content

CVE-2025-48955: CWE-532: Insertion of Sensitive Information into Log File in Erudika para

Medium
VulnerabilityCVE-2025-48955cvecve-2025-48955cwe-532
Published: Mon Jun 02 2025 (06/02/2025, 11:11:22 UTC)
Source: CVE Database V5
Vendor/Project: Erudika
Product: para

Description

Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes. Version 1.50.8 fixes the issue.

AI-Powered Analysis

AILast updated: 07/11/2025, 08:01:53 UTC

Technical Analysis

CVE-2025-48955 is a vulnerability identified in the Erudika para backend server/framework, which is designed for multitenant object persistence and retrieval. The vulnerability affects all versions prior to 1.50.8. The core issue is the improper handling of sensitive credentials—specifically, access and secret keys—within the application logs. These credentials are logged in plaintext without any redaction or masking, violating secure logging practices as defined by CWE-532 (Insertion of Sensitive Information into Log File). The sensitive keys are reused later in variable assignments for persistence operations, but their presence in logs is unnecessary for debugging or system health monitoring. This exposure creates a risk that an attacker with access to log files could extract these credentials and potentially gain unauthorized access to the system or tenant data. The vulnerability has a CVSS 3.1 base score of 6.2, indicating a medium severity level. The vector indicates local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), but no impact on integrity (I:N) or availability (A:N). No known exploits are reported in the wild as of the publication date. The issue was addressed in version 1.50.8 of para, which implements proper redaction of sensitive information in logs to prevent credential leakage.

Potential Impact

For European organizations using Erudika para versions prior to 1.50.8, this vulnerability poses a significant confidentiality risk. If an attacker gains access to log files—through insider threat, compromised systems, or misconfigured log management—they can extract access and secret keys. These credentials could allow unauthorized access to backend services, leading to potential data breaches, tenant data exposure, or unauthorized data manipulation. Although integrity and availability are not directly impacted, the confidentiality breach can have cascading effects, including regulatory non-compliance with GDPR due to exposure of sensitive data. Organizations relying on para for multitenant environments are particularly at risk, as compromised credentials could allow cross-tenant data access. The lack of required privileges and user interaction for exploitation increases the risk, especially in environments where logs are accessible to multiple users or stored in centralized logging systems without proper access controls.

Mitigation Recommendations

European organizations should immediately upgrade all instances of Erudika para to version 1.50.8 or later to ensure that sensitive credentials are no longer logged in plaintext. Additionally, organizations should audit existing log files for exposure of access and secret keys and securely delete or archive logs containing sensitive information. Implement strict access controls on log storage locations to restrict access to authorized personnel only. Employ log management solutions that support automatic redaction or masking of sensitive data. Regularly review logging configurations to ensure no sensitive information is inadvertently captured. Incorporate monitoring and alerting for unusual access patterns to logs or backend services that could indicate credential misuse. Finally, conduct security awareness training for developers and system administrators on secure logging practices and the importance of protecting sensitive information in logs.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-05-28T18:49:07.585Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 683d9584182aa0cae242f8ba

Added to database: 6/2/2025, 12:13:56 PM

Last enriched: 7/11/2025, 8:01:53 AM

Last updated: 8/6/2025, 6:41:05 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats