CVE-2025-48955 MEDIUM

CVE-2025-48955: Para Server Logs Sensitive Information

Vendor Erudika
Product para
Weakness CWE-532 · Sensitive info in logs
Published June 2, 2025
Last update June 2, 2025

CVSS base score

6.2/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes. Version 1.50.8 fixes the issue.

Key dates

02Disclosure timeline

June 2, 2025 CVE published
June 2, 2025 Record updated