Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 2
- Severity:
- Medium
Description
In version 10.11.0, a change to how the SDK collects request data in Node.js applications caused certain incoming HTTP headers to be added as trace span attributes. When sendDefaultPii: true was set, a few headers that were previously redacted - including Authorization and Cookie - were unintentionally allowed through.
Recommendation
Update the @sentry/remix package to the latest compatible version. Followings are version details:
- Affected version(s): >= 10.11.0, < 10.27.0
- Patched version(s): 10.27.0
References
Related Issues
- Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 9 - CVE-2025-65944
- Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 7 - CVE-2025-65944
- Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 6 - CVE-2025-65944
- Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 5 - CVE-2025-65944
- Tags:
- npm
- @sentry/remix
Anything's wrong? Let us know Last updated on November 27, 2025