CVE-2025-48955 - Vulnerability Details - OpenCVE

Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes. Version 1.50.8 fixes the issue.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Erudika	Para

No data.

No data.

References

Link	Providers
https://github.com/Erudika/para/commit/1e8a89558542854bb0683ab234c4429ad93b0835
https://github.com/Erudika/para/security/advisories/GHSA-v75g-77vf-6jjq

History

Mon, 02 Jun 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 02 Jun 2025 11:30:00 +0000

Type	Values Removed	Values Added
Description		Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes. Version 1.50.8 fixes the issue.
Title		Para Server Logs Sensitive Information
Weaknesses		CWE-532
References		https://github.com/Erudika/para/commit/1e8a89558542854bb0683ab234c4429ad93b0835 https://github.com/Erudika/para/security/advisories/GHSA-v75g-77vf-6jjq
Metrics		cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-06-02T11:11:22.722Z

Updated: 2025-06-02T16:47:02.156Z

Reserved: 2025-05-28T18:49:07.585Z

Link: CVE-2025-48955

Vulnrichment

Updated: 2025-06-02T16:46:39.998Z

NVD

Status : Awaiting Analysis

Published: 2025-06-02T12:15:25.523

Modified: 2025-06-02T17:32:17.397

Link: CVE-2025-48955

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-48955", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-05-28T18:49:07.585Z", "datePublished": "2025-06-02T11:11:22.722Z", "dateUpdated": "2025-06-02T16:47:02.156Z"}, "containers": {"cna": {"title": "Para Server Logs Sensitive Information", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Erudika/para/security/advisories/GHSA-v75g-77vf-6jjq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Erudika/para/security/advisories/GHSA-v75g-77vf-6jjq"}, {"name": "https://github.com/Erudika/para/commit/1e8a89558542854bb0683ab234c4429ad93b0835", "tags": ["x_refsource_MISC"], "url": "https://github.com/Erudika/para/commit/1e8a89558542854bb0683ab234c4429ad93b0835"}], "affected": [{"vendor": "Erudika", "product": "para", "versions": [{"version": "< 1.50.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-02T11:11:22.722Z"}, "descriptions": [{"lang": "en", "value": "Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes. Version 1.50.8 fixes the issue."}], "source": {"advisory": "GHSA-v75g-77vf-6jjq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-02T16:46:31.470097Z", "id": "CVE-2025-48955", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-02T16:47:02.156Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-48955", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-02T16:46:31.470097Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-02T16:46:39.998Z"}}], "cna": {"title": "Para Server Logs Sensitive Information", "source": {"advisory": "GHSA-v75g-77vf-6jjq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Erudika", "product": "para", "versions": [{"status": "affected", "version": "< 1.50.8"}]}], "references": [{"url": "https://github.com/Erudika/para/security/advisories/GHSA-v75g-77vf-6jjq", "name": "https://github.com/Erudika/para/security/advisories/GHSA-v75g-77vf-6jjq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Erudika/para/commit/1e8a89558542854bb0683ab234c4429ad93b0835", "name": "https://github.com/Erudika/para/commit/1e8a89558542854bb0683ab234c4429ad93b0835", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes. Version 1.50.8 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-02T11:11:22.722Z"}}}, "cveMetadata": {"cveId": "CVE-2025-48955", "state": "PUBLISHED", "dateUpdated": "2025-06-02T16:47:02.156Z", "dateReserved": "2025-05-28T18:49:07.585Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-02T11:11:22.722Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}