CVE-2025-54064 is a medium-severity vulnerability affecting the Rucio software framework's helm-chart configurations for the rucio-server, rucio-ui, and rucio-webui components. Rucio is widely used for managing and accessing large volumes of scientific data, often in research and academic environments. The vulnerability arises from the inclusion of the X-Rucio-Auth-Token HTTP header in the Apache access log format defined by the helm-charts. This header carries sensitive authentication credentials, either internal Rucio tokens or JWTs in the case of OIDC authentication. Logging these tokens exposes sensitive credential information in plaintext within access logs. Although JWT tokens are often truncated due to their length, partial tokens still represent sensitive information that should not be logged. The risk is heightened if access logs are accessible to personnel beyond trusted administrators, potentially leading to unauthorized access or token misuse. The vulnerability affects multiple versions of the rucio-server, rucio-ui, and rucio-webui prior to patched releases (rucio-server 32.0.1, 35.0.1, 37.0.2; rucio-ui 32.0.2, 35.1.1, 37.0.4; rucio-webui 32.0.1, 35.1.1, 37.0.2). The issue is classified under CWE-532 (Insertion of Sensitive Information into Log File). The CVSS 4.0 base score is 6.9, reflecting a medium severity with network attack vector, no privileges or user interaction required, and limited confidentiality impact. No known exploits are reported in the wild as of publication. Mitigation involves updating to patched helm-chart versions or manually removing the X-Rucio-Auth-Token from the log format configuration to prevent sensitive token logging.

For European organizations, particularly research institutions, universities, and scientific collaborations that rely on Rucio for data management, this vulnerability poses a risk of credential leakage through log files. Unauthorized access to these tokens could allow attackers to impersonate legitimate users, gaining access to sensitive scientific data or administrative functions. This could lead to data confidentiality breaches, unauthorized data manipulation, or disruption of scientific workflows. The impact is amplified in environments where access logs are shared broadly or insufficiently protected. Given the collaborative nature of many European scientific projects, exposure of tokens could also facilitate lateral movement across interconnected systems. While the vulnerability does not directly allow remote code execution or system takeover, the compromise of authentication tokens can undermine the integrity and confidentiality of critical data assets. The medium severity rating reflects the moderate but tangible risk to confidentiality without direct impact on availability or integrity of the system itself.

European organizations using Rucio should promptly upgrade to the patched versions of rucio-server, rucio-ui, and rucio-webui helm-charts as specified (rucio-server 32.0.1+, rucio-ui 32.0.2+, rucio-webui 32.0.1+). If immediate upgrading is not feasible, administrators should manually modify the helm-chart configuration to remove the X-Rucio-Auth-Token from the Apache access log format variable (`logFormat`). Additionally, organizations should audit access controls on log storage to ensure only authorized personnel can view logs. Implementing log management best practices such as encryption at rest, strict access controls, and regular log review can reduce exposure risk. Monitoring for unusual access patterns or token misuse can help detect exploitation attempts. Finally, organizations should educate administrators and developers about the risks of logging sensitive information and enforce secure logging policies across all services.