CVE-2025-57813: 
vulnerability analysis and mitigation

CVE-2025-57813 affects traQ, a messenger application built for Digital Creators Club traP, versions prior to 3.25.0. The vulnerability was discovered and disclosed on August 25, 2025, and involves sensitive information exposure in log files during SQL query execution errors (GitHub Advisory).

The vulnerability is classified as CWE-532 (Insertion of Sensitive Information into Log File) with a CVSS v3.1 base score of 5.9 (Medium). The vulnerability has the following vector string: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N, indicating network attack vector, high attack complexity, high privileges required, no user interaction needed, unchanged scope, and high impact on confidentiality and integrity with no impact on availability (GitHub Advisory).

When an SQL query execution error occurs, sensitive information such as OAuth tokens gets recorded in log files. An attacker with access to log files could acquire this sensitive information by intentionally triggering SQL errors, for example by placing a high load on the database. Both human users and Bot OAuth tokens could potentially be exposed (GitHub Advisory).

The vulnerability has been patched in version 3.25.0. For users unable to upgrade immediately, temporary workarounds include reviewing and strictly limiting access permissions for SQL error logs. Additionally, it is recommended to invalidate OAuth tokens of human users by executing a specific SQL statement: 'UPDATE oauth2tokens SET deletedat = NOW() WHERE deleted_at IS NULL AND scopes != "bot"'. Note that revoking Bot access tokens is not recommended as it may cause errors (GitHub Advisory).