You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On every application start, config/config.js logs the entire configuration object to stdout via util.inspect(). This exposes the session cookie secret, cryptographic key, and the MongoDB connection string (which may contain credentials) to anyone with access to application logs.
In containerized or cloud deployments, stdout is typically captured by logging infrastructure (CloudWatch, Stackdriver, ELK, etc.) accessible to operations staff who should not have access to:
The session cookie secret (enables session forgery)
The cryptographic key (enables decryption of encrypted fields)
The MongoDB connection string (may contain database credentials)
This is CWE-532 (Insertion of Sensitive Information into Log File).
Issue Insecure Default - mongodb connection string #222 covers the insecure default MongoDB connection string value, which is a different concern (CWE-798 hardcoded credentials vs CWE-532 credential logging).
The A5 tutorial covers HTTP security headers and cookie settings. The A6 tutorial covers data-at-rest encryption. Neither covers credential logging.
Suggested Fix
Remove or gate the config logging behind a debug flag:
if(process.env.NODE_ENV==="development"&&process.env.DEBUG_CONFIG){// Redact secrets before loggingconstsafeConfig={ ...config};safeConfig.cookieSecret="[REDACTED]";safeConfig.cryptoKey="[REDACTED]";if(safeConfig.db&&safeConfig.db.includes("@")){safeConfig.db=safeConfig.db.replace(/:\/\/.*@/,"://[REDACTED]@");}console.log("Current Config:");console.log(util.inspect(safeConfig,false,null));}
Summary
On every application start,
config/config.jslogs the entire configuration object to stdout viautil.inspect(). This exposes the session cookie secret, cryptographic key, and the MongoDB connection string (which may contain credentials) to anyone with access to application logs.Vulnerable Code
File:
config/config.js, lines 12-13Secrets exposed (from
config/env/all.js):Impact
In containerized or cloud deployments, stdout is typically captured by logging infrastructure (CloudWatch, Stackdriver, ELK, etc.) accessible to operations staff who should not have access to:
This is CWE-532 (Insertion of Sensitive Information into Log File).
Relationship to Existing Issues
util.inspect()call as a logging readability improvement. The security implication was not flagged.Suggested Fix
Remove or gate the config logging behind a debug flag: