Description
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, potentially leading to session hijacking.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 0.21.2
References
Related Issues
- node-forge is vulnerable to ASN.1 OID Integer Truncation - CVE-2025-66030
- undici Denial of Service attack via bad certificate data - CVE-2025-47279
- Budibase affected by VM2 Constructor Escape Vulnerability - Vulnerability
- Marvin Attack of RSA and RSAOAEP decryption in jsrsasign - CVE-2024-21484
- Tags:
- npm
- @perfood/couch-auth
Anything's wrong? Let us know Last updated on November 20, 2025