CVE-2025-60794

Sažetak

Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, potentially leading to session hijacking.

Reference

https://github.com/perfood/couch-auth
https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60794.md
https://www.npmjs.com/package/@perfood/couch-auth

CVSS

Base:	6.5
Impact:	2.5
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	NONE	LOW

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Zadnje važnije ažuriranje

12-12-2025 - 15:34

Objavljeno

20-11-2025 - 15:17