CVE-2025-65944 affects the official Sentry-Javascript SDK for Node.js applications, specifically versions from 10.11.0 up to but not including 10.27.0. The vulnerability arises when the SDK is configured with the sendDefaultPii option enabled, which instructs the SDK to send personally identifiable information (PII) by default. In this state, certain sensitive HTTP headers, including the Cookie header, are transmitted to Sentry's backend as part of error and trace data. These headers can contain session tokens or authentication cookies, which if exposed, can allow an attacker with access to the Sentry organization to impersonate users or escalate privileges within the application environment. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data). Exploitation requires an attacker to have high privileges within the Sentry organization, but no user interaction or authentication bypass is needed beyond that. The vulnerability has a CVSS 4.0 base score of 5.1 (medium severity), reflecting network attack vector, low attack complexity, and the requirement for privileged access. The issue was addressed and patched in version 10.27.0 of the SDK by preventing sensitive headers from being sent when sendDefaultPii is enabled. No public exploits or active exploitation have been reported to date.

For European organizations using the Sentry-Javascript SDK in Node.js applications with sendDefaultPii enabled, this vulnerability poses a risk of sensitive session cookies and other HTTP headers being exposed within their Sentry organization. If an attacker gains access to the Sentry organization, they could leverage this data to impersonate legitimate users or escalate privileges, potentially leading to unauthorized access to internal systems or data breaches. This risk is particularly significant for organizations handling sensitive personal data or operating in regulated sectors such as finance, healthcare, or critical infrastructure. The exposure of authentication tokens could facilitate lateral movement within corporate networks or compromise customer accounts. Additionally, since Sentry is widely used for application monitoring and error tracking, the vulnerability could affect a broad range of web applications across Europe. However, the requirement for privileged access to the Sentry organization limits the attack surface to insider threats or compromised Sentry accounts. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks.

European organizations should immediately audit their usage of the Sentry-Javascript SDK in Node.js applications to identify versions between 10.11.0 and 10.27.0 with sendDefaultPii enabled. The primary mitigation is to upgrade all affected SDK instances to version 10.27.0 or later, where the vulnerability is patched. If upgrading is not immediately feasible, organizations should disable sendDefaultPii to prevent sensitive headers from being sent. Additionally, organizations must enforce strict access controls and multi-factor authentication on their Sentry organizations to prevent unauthorized access. Regularly reviewing and limiting Sentry organization membership to only trusted personnel reduces insider threat risk. Monitoring Sentry logs for unusual access patterns or data exports can help detect potential misuse. Finally, organizations should consider rotating session cookies and other sensitive tokens if exposure is suspected to mitigate the impact of any leaked credentials.