CVE-2025-50200

NameCVE-2025-50200
DescriptionRabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1108075

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rabbitmq-server (PTS)bullseye (security), bullseye3.8.9-3+deb11u1vulnerable
bookworm, bookworm (security)3.10.8-1.1+deb12u1vulnerable
trixie, sid4.0.5-5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rabbitmq-serversource(unstable)(unfixed)1108075

Notes

https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-gh3x-4x42-fvq8
Search for package or bug name: Reporting problems