GHSA-r5w7-f542-q2j4: 
JavaScript vulnerability analysis and mitigation

The vulnerability (GHSA-r5w7-f542-q2j4) affects the ContextLines integration in Sentry JavaScript SDK versions 8.10.0 to 8.49.0. This integration, which is enabled by default in the Node SDK and Node.js environment SDKs, uses readable streams to attach source context to outgoing events. The vulnerability was discovered and disclosed on January 28, 2025, affecting multiple Sentry packages including @sentry/node, @sentry/astro, @sentry/aws-serverless, and others (GitHub Advisory).

The vulnerability stems from the ContextLines integration's use of readable streams for file reading operations, where the stream was not explicitly closed after use. The issue has been assigned a CVSS score of 3.7 (Low severity) with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L. The vulnerability is classified under CWE-774 and affects multiple Sentry JavaScript packages that operate in Node.js environments (GitHub Advisory).

The vulnerability could lead to excessive amounts of file handles remaining open on the system, potentially resulting in a Denial of Service (DoS) condition. This occurs because the readable streams used for reading files are not properly closed after their use, leading to resource exhaustion (GitHub Advisory).

Users are advised to upgrade to version 8.49.0 or higher to address this vulnerability. For those unable to upgrade immediately, a workaround is available by disabling the ContextLines integration through the Sentry.init configuration. However, disabling this integration will result in the loss of source context on error events (GitHub Advisory).