CVE-2025-49009 is a vulnerability identified in the Erudika para backend server/framework, specifically affecting versions prior to 1.50.8. Para is a multitenant backend system designed for object persistence and retrieval, commonly used to support applications requiring scalable data storage and user authentication. The vulnerability resides in the FacebookAuthFilter.java component, where during a failed request to a Facebook user profile, the full request URL is logged at the WARN level. Critically, this logged URL includes the user's Facebook access token in plaintext. Since WARN-level logs are typically retained in production environments and accessible to system operators or centralized log aggregation services, this creates a significant risk of sensitive token exposure. An attacker or insider with access to these logs could extract the access tokens and potentially impersonate users or gain unauthorized access to Facebook user data. The vulnerability does not require authentication or user interaction to be exploited, but it does require that a failed Facebook profile request occurs and that logs are accessible. The issue was resolved in version 1.50.8 of para by preventing sensitive token information from being logged. The CVSS v3.1 score is 6.2 (medium severity), reflecting the local attack vector, low complexity, no privileges required, no user interaction, and high confidentiality impact due to token exposure. There are no known exploits in the wild at this time.

For European organizations using the Erudika para framework in versions prior to 1.50.8, this vulnerability poses a tangible risk to user data confidentiality. Exposure of Facebook access tokens can lead to unauthorized access to user profiles, potentially enabling data theft, account manipulation, or further lateral attacks within integrated systems. Given the multitenant nature of para, a compromised token could allow attackers to access multiple tenants' data if tokens are reused or if the attacker leverages the token to escalate privileges. This risk is heightened in regulated environments under GDPR, where unauthorized disclosure of personal data can result in significant legal and financial penalties. Additionally, organizations relying on Facebook authentication for user identity management may face reputational damage if user accounts are compromised. The vulnerability does not directly impact system integrity or availability but undermines trust in authentication mechanisms and data confidentiality.

European organizations should immediately upgrade all instances of Erudika para to version 1.50.8 or later to eliminate the logging of sensitive tokens. Until the upgrade is applied, organizations should implement strict access controls on log files, ensuring only authorized personnel and systems can read WARN-level logs. Employ log redaction or filtering mechanisms to sanitize logs and remove sensitive tokens before storage or aggregation. Review and audit existing logs for token exposure and revoke any potentially compromised Facebook access tokens via Facebook's developer console or user account management. Additionally, implement monitoring to detect unusual access patterns that might indicate token misuse. Organizations should also consider segregating logging environments and encrypting log storage to reduce the risk of unauthorized access. Finally, update incident response plans to include procedures for token compromise scenarios.