Sentry-Javascript Cookie Header Exposure Vulnerability in Node.js Applications

A vulnerability exists in the Sentry-Javascript SDK for Node.js, specifically in versions 10.11.0 prior to 10.27.0. When the 'sendDefaultPii' option is set to true, certain sensitive HTTP headers, including the Cookie header, can be inadvertently sent to Sentry. These headers are then stored within the Sentry organization as part of the associated trace. This issue could allow someone with access to the Sentry organization to view and misuse these sensitive values for impersonation or privilege escalation within the application.

Impact

Exposing sensitive HTTP headers, such as cookies, to Sentry can lead to unauthorized access or actions within the application, potentially allowing for impersonation or privilege escalation.

Reproduction

To reproduce this vulnerability, use a Node.js application with the Sentry-Javascript SDK version 10.11.0 prior to 10.27.0. Set the 'sendDefaultPii' option to true. When the application sends requests, certain sensitive headers will be included in the Sentry traces, where they can be accessed by individuals with Sentry organization access.

Remediation

Upgrade the Sentry-Javascript SDK to version 10.27.0 or later. If an immediate upgrade is not possible, consider disabling the 'sendDefaultPii' option to prevent sensitive headers from being sent to Sentry.