CVE-2025-48955: 
Java vulnerability analysis and mitigation

CVE-2025-48955 affects Para, a multitenant backend server/framework for object persistence and retrieval, in versions prior to 1.50.8. The vulnerability was discovered and disclosed on May 30, 2025. The issue involves the exposure of sensitive access and secret keys in log files without proper redaction during the server initialization process (GitHub Advisory).

The vulnerability is classified as CWE-532 (Insertion of Sensitive Information into Log File) and has been assigned a CVSS v3.1 score of 6.2 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue exists in the HealthUtils.java file where a failed configuration file write operation triggers a logging statement that exposes both access and secret keys without redaction. These credentials are subsequently reused in variable assignments for persistence but do not require logging for debugging or system health purposes (GitHub Advisory).

The vulnerability could lead to the exposure of sensitive access and secret keys in log files, potentially compromising the security of the affected Para server installation. The high confidentiality impact indicated by the CVSS score suggests that unauthorized access to these credentials could lead to significant security breaches (GitHub Advisory).

The vulnerability has been patched in Para version 1.50.8. Users should upgrade to this version or later to address the issue. The fix involves removing the logging of sensitive credentials during the initialization process (GitHub Commit).