CVE-2025-60794

Name of the Vulnerable Software and Affected Versions couch-auth version 0.21.2

Description Session tokens and passwords are stored in JavaScript objects within the software and are not explicitly cleared from memory. This occurs in src/user.ts lines 700-707, creating a potential for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, which could lead to session hijacking.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the user.ts file to minimize the risk of exploitation.