CVE-2024-35232

Name of the Vulnerable Software and Affected Versions github.com/huandu/facebook versions prior to 2.7.2

Description The issue concerns the exposure of access token in error messages when HTTP requests fail. This can occur when the module sends HTTP requests with a query parameter ?access token=... and the request fails, resulting in an error message that may contain the full URL, including the access token. This could lead to the access token being stored in log servers or other infrastructures if applications log error messages. The issue can affect client applications that log error messages from the module, return error messages to clients, or use error messages elsewhere.

Recommendations For github.com/huandu/facebook versions prior to 2.7.2, update to version 2.7.2 to resolve the issue. As a temporary workaround, consider modifying error handling to exclude sensitive information like access token from error messages. Restrict access to error logs and ensure that error messages are not returned to clients or used in a way that could expose sensitive information.