CVE-2025-48955 is a vulnerability identified in the Erudika para backend server/framework, which is designed for multitenant object persistence and retrieval. The vulnerability affects all versions prior to 1.50.8. The core issue is the improper handling of sensitive credentials—specifically, access and secret keys—within the application logs. These credentials are logged in plaintext without any redaction or masking, violating secure logging practices as defined by CWE-532 (Insertion of Sensitive Information into Log File). The sensitive keys are reused later in variable assignments for persistence operations, but their presence in logs is unnecessary for debugging or system health monitoring. This exposure creates a risk that an attacker with access to log files could extract these credentials and potentially gain unauthorized access to the system or tenant data. The vulnerability has a CVSS 3.1 base score of 6.2, indicating a medium severity level. The vector indicates local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), but no impact on integrity (I:N) or availability (A:N). No known exploits are reported in the wild as of the publication date. The issue was addressed in version 1.50.8 of para, which implements proper redaction of sensitive information in logs to prevent credential leakage.

For European organizations using Erudika para versions prior to 1.50.8, this vulnerability poses a significant confidentiality risk. If an attacker gains access to log files—through insider threat, compromised systems, or misconfigured log management—they can extract access and secret keys. These credentials could allow unauthorized access to backend services, leading to potential data breaches, tenant data exposure, or unauthorized data manipulation. Although integrity and availability are not directly impacted, the confidentiality breach can have cascading effects, including regulatory non-compliance with GDPR due to exposure of sensitive data. Organizations relying on para for multitenant environments are particularly at risk, as compromised credentials could allow cross-tenant data access. The lack of required privileges and user interaction for exploitation increases the risk, especially in environments where logs are accessible to multiple users or stored in centralized logging systems without proper access controls.

European organizations should immediately upgrade all instances of Erudika para to version 1.50.8 or later to ensure that sensitive credentials are no longer logged in plaintext. Additionally, organizations should audit existing log files for exposure of access and secret keys and securely delete or archive logs containing sensitive information. Implement strict access controls on log storage locations to restrict access to authorized personnel only. Employ log management solutions that support automatic redaction or masking of sensitive data. Regularly review logging configurations to ensure no sensitive information is inadvertently captured. Incorporate monitoring and alerting for unusual access patterns to logs or backend services that could indicate credential misuse. Finally, conduct security awareness training for developers and system administrators on secure logging practices and the importance of protecting sensitive information in logs.