Description
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, potentially leading to session hijacking.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 0.21.2
References
Related Issues
- CouchAuth has a Server-Side Template Injection vulnerability in its email functionality - CVE-2024-57177
- node-forge is vulnerable to ASN.1 OID Integer Truncation - CVE-2025-66030
- authkit-nextjs may let session cookies be cached in CDNs - CVE-2025-64762
- undici Denial of Service attack via bad certificate data - CVE-2025-47279
- Tags:
- npm
- @perfood/couch-auth
Anything's wrong? Let us know Last updated on November 20, 2025