Medium severity6.2NVD Advisory· Published Jun 5, 2025· Updated Apr 15, 2026

CVE-2025-49009

Description

Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 in FacebookAuthFilter.java results in a full request URL being logged during a failed request to a Facebook user profile. The log includes the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure. Version 1.50.8 fixes the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.erudika:para-serverMaven	< 1.50.8	1.50.8

Patches

9e782bef879a

https://github.com/erudika/paravia osv

46a908d887da

https://github.com/erudika/paravia osv

commit

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

github.com/advisories/GHSA-qx7g-fx8q-545gghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-49009ghsaADVISORY
github.com/Erudika/para/commit/46a908d887da02037384193f70a69345f04887cfnvdWEB
github.com/Erudika/para/security/advisories/GHSA-qx7g-fx8q-545gnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.403
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000