CVE-2025-48955: Para Server Logs Sensitive Information

6.2 CVSS

Description

Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes. Version 1.50.8 fixes the issue.

Classification

CVE ID: CVE-2025-48955

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.2

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem Types

CWE-532: Insertion of Sensitive Information into Log File

Affected Products

Vendor: Erudika

Product: para

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.33% (scored less or equal to compared to others)

EPSS Date: 2025-06-08 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-48955
https://github.com/Erudika/para/security/advisories/GHSA-v75g-77vf-6jjq
https://github.com/Erudika/para/commit/1e8a89558542854bb0683ab234c4429ad93b0835

Timeline

2025-06-02 12:40:22 UTC
CVE

Para Server Logs Sensitive Information