CVE-2025-6624: 
JavaScript vulnerability analysis and mitigation

CVE-2025-6624 affects versions of the Snyk CLI package before 1.1297.3, where sensitive information can be exposed through local debug logs. The vulnerability was discovered and disclosed on June 25, 2025, impacting the Snyk CLI's debug logging functionality. The issue specifically affects container registry credentials and authentication tokens when executing certain Snyk commands with debug mode enabled (Snyk Advisory).

The vulnerability occurs when executing Snyk CLI in DEBUG or DEBUG/TRACE mode, where container registry credentials and authentication tokens may be written to local debug logs. This affects three specific scenarios: 1) when running 'snyk container test' or 'snyk container monitor' commands with credentials specified via environment variables or CLI arguments, 2) when executing 'snyk auth' command with debug mode and TRACE log level enabled, exposing access/refresh tokens, and 3) when running 'snyk iac test' with Remote IAC Custom rules bundle and TRACE log level enabled, potentially exposing docker registry tokens (Snyk Advisory, GitHub Commit).

The vulnerability could lead to the exposure of sensitive credentials and tokens through local debug logs. This includes container registry credentials, Snyk access tokens, and docker registry tokens. The CVSS v4.0 base score is 2.4 (LOW), indicating that while the vulnerability requires local access and high privileges, it could have significant impact on confidentiality if exploited (Snyk Advisory).

The vulnerability has been patched in Snyk CLI version 1.1297.3. Users should upgrade to this version or higher to address the issue. The fix includes improved sanitization of credentials in local debug logs (CLI Release).