VDB

CVE-2025-65944

CVE-2025-65944 PUBLISHED CVSS 5.099999904632568 MEDIUM

Sentry-Javascript is an official Sentry SDKs for JavaScript. From version 10.11.0 to before 10.27.0, when a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including the Cookie header, to Sentry. Those headers would be stored within a Sentry organization as part of the associated trace. A person with access to the Sentry organization could then view and use these sensitive values to impersonate or escalate their privileges within the application. This issue has been patched in version 10.27.0.

EPSS 0.07% · 21.6th percentile

Risk Scores

CVSS v4.0
5.099999904632568
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L
EPSS Score
0.07%
21.6th percentile

Affected Products

VendorProductVersions
sentrybun10.11.0
sentrynestjs10.11.0
sentryremix10.11.0
sentrynode10.11.0
sentrysolidstart10.11.0
sentrynextjs10.11.0
sentrysveltekit10.11.0
sentrygoogle-cloud-serverless10.11.0
sentryastro10.11.0
sentrynuxt10.11.0
getsentrysentry-javascript>= 10.11.0, < 10.27.0
sentryaws-serverless10.11.0
sentrynode-core10.11.0

Timeline

  • Nov 24, 2025 CVE Published
  • Nov 25, 2025 EPSS Score
  • Nov 25, 2025 PoC Published
  • Nov 27, 2025 CVE Updated
  • Nov 30, 2025 EPSS Score
  • Dec 4, 2025 EPSS Score
  • Dec 9, 2025 EPSS Score
  • Dec 14, 2025 EPSS Score
  • Dec 18, 2025 EPSS Score
  • Dec 23, 2025 EPSS Score
  • Dec 28, 2025 EPSS Score
  • Jan 2, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›