CVE-2025-57813: 
vulnerability analysis and mitigation

CVE-2025-57813 affects traQ, a messenger application built for Digital Creators Club traP. The vulnerability was discovered and disclosed on August 25, 2025, affecting versions prior to 3.25.0. The issue involves sensitive information exposure, specifically OAuth tokens, being recorded in log files during SQL query execution errors (GitHub Advisory).

The vulnerability is classified as CWE-532 (Insertion of Sensitive Information into Log File) with a CVSS v3.1 score of 5.9 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N, indicating network attack vector, high attack complexity, high privileges required, no user interaction needed, unchanged scope, and high impact on confidentiality and integrity with no impact on availability (GitHub Advisory).

The vulnerability could allow attackers with log file access permissions to acquire sensitive information such as OAuth tokens. Both human users and Bot OAuth tokens could potentially be exposed. The exposure occurs when an attacker intentionally triggers SQL errors, such as by placing a high load on the database (GitHub Advisory).

The vulnerability has been patched in version 3.25.0. For users unable to upgrade immediately, temporary workarounds include reviewing and strictly limiting access permissions for SQL error logs. Additionally, it is recommended to invalidate OAuth tokens of human users by executing a specific SQL statement: 'UPDATE oauth2tokens SET deletedat = NOW() WHERE deleted_at IS NULL AND scopes != "bot"'. Note that revoking Bot access tokens is not recommended as it may cause errors (GitHub Advisory).