CVE-2025-49009: 
Java vulnerability analysis and mitigation

Para, a multitenant backend server/framework for object persistence and retrieval, contains a vulnerability (CVE-2025-49009) discovered in versions prior to 1.50.8. The vulnerability exists in the FacebookAuthFilter.java component where a full request URL containing sensitive authentication information is logged during failed Facebook user profile requests. The issue was disclosed on June 5, 2025, and has been assigned a CVSS v3.1 base score of 6.2 (MEDIUM) (GitHub Advisory, NVD).

The vulnerability is classified as CWE-532 (Insertion of Sensitive Information into Log File). The issue occurs in FacebookAuthFilter.java where failed requests trigger a warning log that includes the user's Facebook access token in plain text. The vulnerability has a local attack vector (AV:L), low attack complexity (AC:L), requires no privileges (PR:N) and no user interaction (UI:N). The scope is unchanged (S:U) with high impact on confidentiality (C:H) but no impact on integrity (I:N) or availability (A:N) (GitHub Advisory).

The vulnerability exposes Facebook access tokens in plain text within WARN-level logs, which are commonly retained in production environments and accessible to operators or log aggregation systems. This exposure could lead to unauthorized access to users' Facebook accounts if the tokens are intercepted (GitHub Advisory).

The vulnerability has been fixed in Para version 1.50.8. The fix involves modifying the logging statement to replace the actual access token with a placeholder '{access_token}' in the log message (GitHub Commit).