CVE-2025-50200: CWE-532: Insertion of Sensitive Information into Log File in rabbitmq rabbitmq-server
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.
AI Analysis
Technical Summary
CVE-2025-50200 is a vulnerability identified in the RabbitMQ messaging and streaming broker, specifically affecting versions 3.13.7 and earlier. RabbitMQ is widely used for message queuing and streaming in distributed systems, enabling asynchronous communication between services. The vulnerability arises from the logging mechanism of RabbitMQ's HTTP/S API when basic authentication is used. In these affected versions, RabbitMQ logs all HTTP request headers, including the Authorization header, in plaintext. The Authorization header contains credentials encoded in base64 format, which is a reversible encoding rather than encryption. Consequently, an attacker or unauthorized user with access to the log files can easily decode the base64 string to retrieve the username and password in cleartext. This exposure of sensitive authentication information in logs violates secure logging practices and can lead to credential compromise. If an attacker obtains valid credentials, they could potentially gain unauthorized access to the RabbitMQ server, allowing them to manipulate message queues, intercept or inject messages, disrupt service availability, or escalate privileges depending on the environment and configuration. The vulnerability does not require user interaction and can be exploited locally or by anyone with access to the log files. It requires that the attacker already have some level of privileges (PR:H) to access logs, but no additional authentication or user interaction is needed. The issue has been addressed and patched in RabbitMQ version 4.0.8, where logging of sensitive headers has been corrected to prevent credential leakage. The CVSS 4.0 base score is 6.7 (medium severity), reflecting the moderate impact on confidentiality due to credential exposure, limited attack vector (local access to logs), and the requirement of high privileges to access the logs. There are no known exploits in the wild at the time of publication.
Potential Impact
For European organizations, the exposure of RabbitMQ credentials through log files can have significant security implications. RabbitMQ is commonly used in enterprise environments, including financial services, telecommunications, manufacturing, and public sector infrastructures across Europe. Compromise of RabbitMQ credentials could allow attackers to intercept or manipulate critical messaging workflows, potentially disrupting business operations or enabling lateral movement within networks. This could lead to data breaches, service outages, or unauthorized data manipulation. Given the sensitive nature of messages handled by RabbitMQ in many deployments, confidentiality and integrity of communications could be at risk. Additionally, organizations subject to strict data protection regulations such as GDPR may face compliance issues if sensitive credentials are exposed and exploited. The medium severity score indicates that while exploitation requires some level of access, the potential impact on confidentiality is significant. Organizations with RabbitMQ versions prior to 4.0.8 should prioritize remediation to avoid credential leakage and subsequent unauthorized access.
Mitigation Recommendations
1. Upgrade RabbitMQ to version 4.0.8 or later immediately to ensure the vulnerability is patched and sensitive headers are no longer logged in plaintext. 2. Review and restrict access permissions to RabbitMQ log files to minimize the risk of unauthorized access. Implement strict file system ACLs and monitor access logs for unusual activity. 3. Rotate all RabbitMQ credentials that may have been exposed in logs prior to patching to prevent reuse of compromised credentials. 4. Implement centralized and secure log management solutions that encrypt logs at rest and in transit, and enforce role-based access controls to limit exposure. 5. Audit and sanitize existing log files to remove any stored authorization headers containing base64 encoded credentials. 6. Where possible, configure RabbitMQ and associated services to use more secure authentication mechanisms (e.g., OAuth, TLS client certificates) instead of basic authentication to reduce credential exposure risk. 7. Monitor RabbitMQ API usage for anomalous patterns that could indicate credential misuse or unauthorized access attempts. 8. Educate system administrators and DevOps teams on secure logging practices and the risks of logging sensitive information.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland, Belgium, Switzerland
CVE-2025-50200: CWE-532: Insertion of Sensitive Information into Log File in rabbitmq rabbitmq-server
Description
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.
AI-Powered Analysis
Technical Analysis
CVE-2025-50200 is a vulnerability identified in the RabbitMQ messaging and streaming broker, specifically affecting versions 3.13.7 and earlier. RabbitMQ is widely used for message queuing and streaming in distributed systems, enabling asynchronous communication between services. The vulnerability arises from the logging mechanism of RabbitMQ's HTTP/S API when basic authentication is used. In these affected versions, RabbitMQ logs all HTTP request headers, including the Authorization header, in plaintext. The Authorization header contains credentials encoded in base64 format, which is a reversible encoding rather than encryption. Consequently, an attacker or unauthorized user with access to the log files can easily decode the base64 string to retrieve the username and password in cleartext. This exposure of sensitive authentication information in logs violates secure logging practices and can lead to credential compromise. If an attacker obtains valid credentials, they could potentially gain unauthorized access to the RabbitMQ server, allowing them to manipulate message queues, intercept or inject messages, disrupt service availability, or escalate privileges depending on the environment and configuration. The vulnerability does not require user interaction and can be exploited locally or by anyone with access to the log files. It requires that the attacker already have some level of privileges (PR:H) to access logs, but no additional authentication or user interaction is needed. The issue has been addressed and patched in RabbitMQ version 4.0.8, where logging of sensitive headers has been corrected to prevent credential leakage. The CVSS 4.0 base score is 6.7 (medium severity), reflecting the moderate impact on confidentiality due to credential exposure, limited attack vector (local access to logs), and the requirement of high privileges to access the logs. There are no known exploits in the wild at the time of publication.
Potential Impact
For European organizations, the exposure of RabbitMQ credentials through log files can have significant security implications. RabbitMQ is commonly used in enterprise environments, including financial services, telecommunications, manufacturing, and public sector infrastructures across Europe. Compromise of RabbitMQ credentials could allow attackers to intercept or manipulate critical messaging workflows, potentially disrupting business operations or enabling lateral movement within networks. This could lead to data breaches, service outages, or unauthorized data manipulation. Given the sensitive nature of messages handled by RabbitMQ in many deployments, confidentiality and integrity of communications could be at risk. Additionally, organizations subject to strict data protection regulations such as GDPR may face compliance issues if sensitive credentials are exposed and exploited. The medium severity score indicates that while exploitation requires some level of access, the potential impact on confidentiality is significant. Organizations with RabbitMQ versions prior to 4.0.8 should prioritize remediation to avoid credential leakage and subsequent unauthorized access.
Mitigation Recommendations
1. Upgrade RabbitMQ to version 4.0.8 or later immediately to ensure the vulnerability is patched and sensitive headers are no longer logged in plaintext. 2. Review and restrict access permissions to RabbitMQ log files to minimize the risk of unauthorized access. Implement strict file system ACLs and monitor access logs for unusual activity. 3. Rotate all RabbitMQ credentials that may have been exposed in logs prior to patching to prevent reuse of compromised credentials. 4. Implement centralized and secure log management solutions that encrypt logs at rest and in transit, and enforce role-based access controls to limit exposure. 5. Audit and sanitize existing log files to remove any stored authorization headers containing base64 encoded credentials. 6. Where possible, configure RabbitMQ and associated services to use more secure authentication mechanisms (e.g., OAuth, TLS client certificates) instead of basic authentication to reduce credential exposure risk. 7. Monitor RabbitMQ API usage for anomalous patterns that could indicate credential misuse or unauthorized access attempts. 8. Educate system administrators and DevOps teams on secure logging practices and the risks of logging sensitive information.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-06-13T19:17:51.728Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68543b7133c7acc0460d50da
Added to database: 6/19/2025, 4:31:45 PM
Last enriched: 6/19/2025, 4:46:39 PM
Last updated: 8/14/2025, 9:59:05 PM
Views: 48
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.