CVE-2025-50200: 
RabbitMQ vulnerability analysis and mitigation

RabbitMQ, a messaging and streaming broker, was found to have a security vulnerability (CVE-2025-50200) where authorization headers were being logged in plaintext encoded in base64. The vulnerability affects versions 3.13.7 and prior, and was discovered and disclosed on June 18, 2025. When users query the RabbitMQ API using HTTP/s with basic authentication, the system logs all request headers, including authorization headers containing base64-encoded username:password combinations (GitHub Advisory).

The vulnerability is classified with a CVSS v4.0 base score of 6.7 (Medium severity) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The issue stems from improper logging practices where authentication credentials in the Authorization header are logged in their base64-encoded form, which can be easily decoded to reveal the plaintext credentials. The vulnerability is categorized as CWE-532 (Insertion of Sensitive Information into Log File) (GitHub Advisory, NVD).

The vulnerability leads to the disclosure of user credentials when certain API operations result in errors, such as searching for non-existent queues. The exposed credentials could potentially be used by attackers to gain unauthorized access to the system, with the level of access depending on the privileges of the exposed credentials (GitHub Advisory).

The vulnerability has been patched in RabbitMQ version 4.0.8. Users are advised to upgrade to version 4.0.8 or later to address this security issue. The fix prevents the logging of sensitive authentication headers (NVD, GitHub Advisory).