CVE-2025-65944: 
JavaScript vulnerability analysis and mitigation

When a Node.js application using the Sentry SDK has sendDefaultPii: true configured, sensitive HTTP headers including Cookie and Authorization headers could be inadvertently sent to Sentry between versions 10.11.0 and 10.26.0. These headers would be stored within the Sentry organization as part of the associated trace. The vulnerability affects multiple Sentry Node.js SDK packages including @sentry/astro, @sentry/aws-serverless, @sentry/bun, @sentry/google-cloud-serverless, @sentry/nestjs, @sentry/nextjs, @sentry/node, @sentry/node-core, @sentry/nuxt, @sentry/remix, @sentry/solidstart, and @sentry/sveltekit (GitHub Advisory).

The vulnerability was introduced in version 10.11.0 when changes were made to how the SDK collects request data in Node.js applications, causing certain incoming HTTP headers to be added as trace span attributes. When sendDefaultPii: true was set, headers that were previously redacted (like Authorization and Cookie) were unintentionally allowed through. While Sentry's server-side scrubbing normally provides a second layer of protection through the Relay edge proxy, it used the same matching logic as the SDK and thus also failed to catch these headers (GitHub Advisory).

A person with access to the Sentry organization could view and potentially use these sensitive header values to impersonate or escalate their privileges within a user's application. Users can check if their project was affected by visiting Explore → Traces and searching for 'http.request.header.authorization', 'http.request.header.cookie' or similar headers (GitHub Advisory).

The issue has been patched in version 10.27.0 of all affected Sentry JavaScript SDKs. Users are strongly encouraged to upgrade to version 10.27.0 or later. As a workaround, users can set sendDefaultPii: false to avoid unintentionally sending sensitive headers if upgrading is not immediately possible (GitHub Advisory).