2373901 – (CVE-2025-50200) CVE-2025-50200 rabbitmq-server: RabbitMQ Node can log Basic Auth header from an HTTP request

Bug 2373901 (CVE-2025-50200) - CVE-2025-50200 rabbitmq-server: RabbitMQ Node can log Basic Auth header from an HTTP request

Summary: CVE-2025-50200 rabbitmq-server: RabbitMQ Node can log Basic Auth header from ...

Keywords:
Status:	NEW
Alias:	CVE-2025-50200
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2373988
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-19 17:01 UTC by OSIDB Bzimport
Modified:	2025-06-20 07:25 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-06-19 17:01:09 UTC

RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.

Note You need to log in before you can comment on or make changes to this bug.