Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 3

Severity:: Medium

Description

In version 10.11.0, a change to how the SDK collects request data in Node.js applications caused certain incoming HTTP headers to be added as trace span attributes. When sendDefaultPii: true was set, a few headers that were previously redacted - including Authorization and Cookie - were unintentionally allowed through.

Recommendation

Update the @sentry/nuxt package to the latest compatible version. Followings are version details:

Affected version(s): >= 10.11.0, < 10.27.0
Patched version(s): 10.27.0

References

GHSA-6465-jgvq-jhgp
CVE-2025-65944
CWE-201
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 9 - CVE-2025-65944
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 7 - CVE-2025-65944
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 6 - CVE-2025-65944
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 5 - CVE-2025-65944

Tags:: npm; @sentry/nuxt

Anything's wrong? Let us know Last updated on November 27, 2025