Vulnerability Details CVE-2025-60794
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, potentially leading to session hijacking.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 4.7%
CVSS Severity
CVSS v3 Score 6.5
References
Products affected by CVE-2025-60794
-
cpe:2.3:a:perfood:couchauth:-
-
cpe:2.3:a:perfood:couchauth:0.16.2
-
cpe:2.3:a:perfood:couchauth:0.16.3
-
cpe:2.3:a:perfood:couchauth:0.16.4
-
cpe:2.3:a:perfood:couchauth:0.17.0
-
cpe:2.3:a:perfood:couchauth:0.17.1
-
cpe:2.3:a:perfood:couchauth:0.17.2
-
cpe:2.3:a:perfood:couchauth:0.17.3
-
cpe:2.3:a:perfood:couchauth:0.17.4
-
cpe:2.3:a:perfood:couchauth:0.18.0
-
cpe:2.3:a:perfood:couchauth:0.18.1
-
cpe:2.3:a:perfood:couchauth:0.18.2
-
cpe:2.3:a:perfood:couchauth:0.18.3
-
cpe:2.3:a:perfood:couchauth:0.19.0
-
cpe:2.3:a:perfood:couchauth:0.19.1
-
cpe:2.3:a:perfood:couchauth:0.19.2
-
cpe:2.3:a:perfood:couchauth:0.20.0