CVE-2025-65944 affects the Sentry-Javascript SDK, specifically versions from 10.11.0 up to but not including 10.27.0. The vulnerability arises when the sendDefaultPii configuration option is set to true in Node.js applications using this SDK. Under these conditions, certain sensitive HTTP headers, including the Cookie header, are unintentionally included in the telemetry data sent to Sentry's backend. This data is then stored within the Sentry organization’s project traces. Since cookies often contain session tokens or authentication credentials, their exposure can lead to impersonation or privilege escalation attacks if an attacker gains access to the Sentry organization. The vulnerability is classified under CWE-201, which involves the insertion of sensitive information into sent data. Exploitation requires that the attacker already has high privileges within the Sentry organization (e.g., a user with access to view traces). No user interaction is required, and the vulnerability does not affect confidentiality or integrity of the application directly but compromises sensitive telemetry data confidentiality. The issue was patched in version 10.27.0 by preventing sensitive headers from being sent when sendDefaultPii is enabled. There are no known exploits in the wild as of the publication date. The CVSS 4.0 base score is 5.1 (medium severity), reflecting network attack vector, low attack complexity, partial privileges required, no user interaction, and limited scope impact.

For European organizations, this vulnerability poses a risk of sensitive data leakage through telemetry data collected by Sentry. Organizations that use the affected versions of the Sentry-Javascript SDK with sendDefaultPii enabled may inadvertently expose HTTP headers containing session cookies or other sensitive tokens. If an attacker or malicious insider gains access to the Sentry organization, they could extract these sensitive values to impersonate users or escalate privileges within the application environment. This can lead to unauthorized access to internal systems or data breaches. The impact is particularly significant for organizations with large development teams or third-party collaborators who have access to Sentry projects, increasing the risk of insider threats or accidental exposure. Additionally, organizations subject to strict data protection regulations such as GDPR may face compliance risks due to the unauthorized exposure of personal data. However, since exploitation requires existing high privileges within Sentry, the vulnerability primarily escalates risk rather than enabling initial compromise.

European organizations should immediately upgrade all instances of the Sentry-Javascript SDK to version 10.27.0 or later to ensure the vulnerability is patched. Until the upgrade is completed, organizations should consider disabling the sendDefaultPii option to prevent sensitive headers from being sent. Review and restrict access permissions within Sentry organizations to limit the number of users with high privileges capable of viewing sensitive telemetry data. Implement strict access controls and audit logging for Sentry usage to detect any unauthorized access or data exfiltration attempts. Conduct a thorough review of telemetry data stored in Sentry to identify and remove any sensitive information that may have been inadvertently collected. Educate development and security teams about the risks of enabling sendDefaultPii and the importance of minimizing sensitive data exposure in telemetry. Finally, integrate vulnerability management processes to monitor for updates and advisories related to Sentry and other SDKs used in development.