CVE-2025-8864 is a medium-severity vulnerability identified in YugabyteDB Anywhere versions 2.23.0.0 and 2024.1.0.0. The issue is classified under CWE-532, which pertains to the insertion of sensitive information into log files. Specifically, the vulnerability arises because the Shared Access Signature (SAS) token used in backup configuration responses is not masked and is also exposed in the yb_backup logs. SAS tokens are sensitive credentials that grant delegated access to resources, often with specific permissions and time constraints. Exposure of these tokens in logs can lead to unauthorized access if an attacker gains access to these logs. The vulnerability has a CVSS 4.0 base score of 6.8, indicating a medium severity level. The CVSS vector shows that the attack vector is adjacent network (AV:A), requiring high attack complexity (AC:H), privileged attacker (PR:H), no user interaction (UI:N), and high impact on confidentiality (VC:H) but no impact on integrity or availability. The scope is unchanged, and no known exploits are currently in the wild. The vulnerability was published on August 11, 2025, and no patches have been linked yet. This vulnerability is significant because logs are often retained for long periods and may be accessible to multiple personnel or systems, increasing the risk of token leakage and subsequent misuse. Since the SAS token grants access to backup resources, its exposure could lead to unauthorized data access or exfiltration if an attacker obtains the token from logs.

For European organizations using YugabyteDB Anywhere, this vulnerability poses a risk of unauthorized access to backup data if the exposed SAS tokens are accessed by malicious actors. Given the sensitivity of backup data, which often contains critical business and personal information, the confidentiality breach could lead to data leaks, regulatory non-compliance (e.g., GDPR violations), and reputational damage. The impact is heightened in sectors with strict data protection requirements such as finance, healthcare, and government. Additionally, since the vulnerability requires privileged access to the system to exploit (high privileges needed), insider threats or attackers who have already compromised internal systems pose the greatest risk. The exposure of SAS tokens in logs could facilitate lateral movement within networks or enable attackers to access backup storage services, potentially leading to data theft or manipulation. The lack of impact on integrity and availability reduces the risk of data tampering or service disruption directly from this vulnerability, but the confidentiality breach alone is significant for compliance and trust.

To mitigate this vulnerability, organizations should immediately review and restrict access to yb_backup logs to only trusted and necessary personnel and systems, implementing strict access controls and monitoring. Masking or redacting sensitive tokens in logs should be implemented as a priority by YugabyteDB developers; until a patch is available, organizations can consider custom log filtering or scrubbing solutions to remove or obfuscate SAS tokens from logs. Regularly rotate SAS tokens and backup credentials to limit the window of exposure if tokens are leaked. Employ strong auditing and alerting on access to backup logs and configuration responses to detect suspicious activities. Additionally, enforce the principle of least privilege for users and services interacting with YugabyteDB Anywhere to reduce the risk of privileged attackers exploiting this vulnerability. Organizations should stay updated with YugabyteDB security advisories and apply patches promptly once released. Finally, consider encrypting logs at rest and in transit to reduce the risk of unauthorized access to sensitive information.