CVE-2025-60794
Description
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, potentially leading to session hijacking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Couch-auth 0.21.2 stores session tokens and passwords in memory without explicit clearing, enabling sensitive data extraction via memory dumps or debugging tools.
Vulnerability
Overview
CVE-2025-60794 describes a sensitive data exposure vulnerability in couch-auth version 0.21.2, an authentication solution for Node.js applications using CouchDB [1]. The bug resides in src/user.ts at lines 700–707, where session tokens and passwords are stored in JavaScript objects but are never explicitly cleared from memory after use [2]. This lack of memory sanitization means that sensitive authentication credentials remain resident in the process heap until garbage collection occurs or the application terminates.
Attack
Vector and Prerequisites
Exploitation requires the ability to inspect the memory of the running Node.js process. This can be achieved through local memory dumps, debugging tools (such as --inspect or core dumps), or a memory-scanning technique like a heartbleed-style buffer read if the attacker already has access to the server or a compromised dependency [3]. No user interaction is needed beyond the attacker's ability to access memory—the vulnerability exists server-side the moment any session token or password is processed. The maintainer notes that the server is expected to run behind a load balancer for rate limiting, but this does not mitigate the memory exposure [1].
Impact
An attacker who successfully retrieves the in-memory credentials can impersonate authenticated users (session hijacking) or log in directly with captured passwords. Because the data remains in memory for an unknown but potentially lengthy window, the window of opportunity for extraction is open until the process is restarted or the objects are overwritten by other operations [2][3]. The impact is classified as Information Disclosure, with a likely severity of HIGH due to the direct exposure of authentication secrets.
Mitigation
Status
As of November 2025, the vendor (perfood) has not responded to a private vulnerability report, and no patch or advisory has been released [3]. Users are advised to limit access to the production server's memory (e.g., disable core dumps, restrict debug interfaces) and consider applying memory-sweep patches in the interim. The couch-auth project is no longer actively maintained for OAuth parts, and switching to an actively maintained alternative may be prudent [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@perfood/couch-authnpm | <= 0.21.2 | — |
Affected products
2- couch-auth/couch-authdescription
- Range: = 0.21.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.