CVE-2025-6624

Name of the Vulnerable Software and Affected Versions: snyk versions prior to 1.1297.3

Description: The issue allows for the insertion of sensitive information into log files through local Snyk CLI debug logs. Container Registry credentials provided via environment variables or command line arguments can be exposed when executing Snyk CLI in DEBUG or DEBUG/TRACE mode. This affects several Snyk commands, including snyk container test and snyk container monitor when run against a container registry with debug mode enabled, potentially writing container registry credentials into the local Snyk CLI debug log. Additionally, the snyk auth command with debug mode enabled and the log level set to TRACE may write Snyk access or refresh credential tokens into the local CLI debug logs. The snyk iac test command with a Remote IAC Custom rules bundle, debug mode enabled, and the log level set to TRACE may also write the docker registry token into the local CLI debug logs.

Recommendations: For versions prior to 1.1297.3, update to version 1.1297.3 or later to resolve the issue. As a temporary workaround, consider disabling debug mode for Snyk CLI commands to prevent sensitive information from being written into the local debug logs. Restrict access to the local Snyk CLI debug logs to minimize the risk of exploitation. Avoid using environment variables SNYK REGISTRY USERNAME and SNYK REGISTRY PASSWORD or command line arguments --password/-p and --username/-u with Snyk CLI commands in DEBUG or DEBUG/TRACE mode until the issue is resolved.