CVE-2025-60794

Dec. 12, 2025, 3:34 p.m.

6.5
Medium

Description

Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, potentially leading to session hijacking.

Product(s) Impacted

Vendor Product Versions
Perfood
  • Couchauth
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-316
Cleartext Storage of Sensitive Information in Memory
The product stores sensitive information in cleartext in memory.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a perfood couchauth / / / / / node.js / /

References

https://github.com/perfood/couch-auth
https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60794.md
https://www.npmjs.com/package/@perfood/couch-auth

Tags

cve@mitre.org
CWE-316
2025-11-20
CVE-2025-60794

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: LOW

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

    View Vector String

Timeline

Published: Nov. 20, 2025, 3:17 p.m.
Last Modified: Dec. 12, 2025, 3:34 p.m.

Status : Analyzed

CVE has had analysis completed and all data associations made.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.