CVE-2025-48955: 
Java vulnerability analysis and mitigation

Para, a multitenant backend server/framework for object persistence and retrieval, contains a vulnerability (CVE-2025-48955) in versions prior to 1.50.8 that exposes both access and secret keys in logs without redaction. The vulnerability was discovered and disclosed on May 30, 2025, and has been assigned a CVSS v3.1 score of 6.2 (Medium) (GitHub Advisory).

The vulnerability is classified as CWE-532 (Insertion of Sensitive Information into Log File). The issue exists in the HealthUtils.java file where a failed configuration file write operation triggers a logging statement that exposes both access and secret keys without redaction. These credentials are subsequently reused in variable assignments for persistence but do not require logging for debugging or system health purposes (GitHub Advisory, GitHub Commit).

The vulnerability could lead to the exposure of sensitive access and secret keys in log files, potentially compromising the security of the affected Para server installation. The high confidentiality impact indicated by the CVSS score suggests that unauthorized access to these credentials could lead to significant security breaches (Wiz).

The vulnerability has been patched in Para version 1.50.8. Users should upgrade to this version or later to address the issue. The fix involves removing the logging of sensitive credentials during the initialization process (GitHub Commit).