Description
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, potentially leading to session hijacking.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 0.21.2
References
Related Issues
- @perfood/couch-auth has an Observable Timing Discrepancy - CVE-2025-70949
- @perfood/couch-auth has a host header injection vulnerability - CVE-2025-70948
- Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta - CVE-2025-64502
- Storybook manager bundle may expose environment variables during build - CVE-2025-68429
You might also like:
- Tags:
- npm
- @perfood/couch-auth
Anything's wrong? Let us know Last updated on November 20, 2025