Description
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, potentially leading to session hijacking.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 0.21.2
References
Related Issues
- @perfood/couch-auth has a host header injection vulnerability - CVE-2025-70948
- @perfood/couch-auth has an Observable Timing Discrepancy - CVE-2025-70949
- authkit-nextjs may let session cookies be cached in CDNs - CVE-2025-64762
- Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta - CVE-2025-64502
- Tags:
- npm
- @perfood/couch-auth
Anything's wrong? Let us know Last updated on November 20, 2025