CVE-2025-49009: Para Inserts Sensitive Information into Log File for Facebook authentication

June 6, 2025 (updated June 13, 2025)

CWE ID: CWE-532 (Insertion of Sensitive Information into Log File) CVSS: 6.2 (Medium) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Component: Facebook Authentication Logging Version: Para v1.50.6 File Path: para-1.50.6/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java Vulnerable Line(s): Line 184 (logger.warn(…) with raw access token)

Technical Details:

The vulnerability is located in FacebookAuthFilter.java, where a failed request to Facebook’s user profile endpoint triggers the following log statement:

logger.warn("Facebook auth request failed: GET " + PROFILE_URL + accessToken, e);`

References

Code Behaviors & Features

Detect and mitigate CVE-2025-49009 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →