Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`
- Severity:
- Medium
Description
In version 10.11.0, a change to how the SDK collects request data in Node.js applications caused certain incoming HTTP headers to be added as trace span attributes. When sendDefaultPii: true was set, a few headers that were previously redacted - including Authorization and Cookie - were unintentionally allowed through.
Recommendation
Update the @sentry/sveltekit package to the latest compatible version. Followings are version details:
- Affected version(s): >= 10.11.0, < 10.27.0
- Patched version(s): 10.27.0
References
Related Issues
- validator.js has a URL validation bypass vulnerability in its isURL function - CVE-2025-56200
- Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter - CVE-2025-58179
- CKEditor 5 cross-site scripting (XSS) vulnerability in the clipboard package - CVE-2025-58064
- Payload's SQLite adapter Session Fixation vulnerability (GHSA-26rv-h2hf-3fw4) - CVE-2025-4644
- Tags:
- npm
- @sentry/sveltekit
Anything's wrong? Let us know Last updated on November 27, 2025