CVE-2025-6624

Summary

CVE	CVE-2025-6624
State	PUBLISHED
Assigner	snyk
Source Priority	CVE Program / NVD first with legacy fallback
Published	2025-06-26 05:15:23 UTC
Updated	2026-04-29 01:00:01 UTC
Description	Versions of the package snyk before 1.1297.3 are vulnerable to Insertion of Sensitive Information into Log File through local Snyk CLI debug logs. Container Registry credentials provided via environment variables or command line arguments can be exposed when executing Snyk CLI in DEBUG or DEBUG/TRACE mode. The issue affects the following Snyk commands: 1. When snyk container test or snyk container monitor commands are run against a container registry, with debug mode enabled, the container registry credentials may be written into the local Snyk CLI debug log. This only happens with credentials specified in environment variables (SNYK_REGISTRY_USERNAME and SNYK_REGISTRY_PASSWORD), or in the CLI (--password/-p and --username/-u). 2. When snyk auth command is executed with debug mode enabled AND the log level is set to TRACE, the Snyk access / refresh credential tokens used to connect the CLI to Snyk may be written into the local CLI debug logs. 3. When snyk iac test is executed with a Remote IAC Custom rules bundle, debug mode enabled, AND the log level is set to TRACE, the docker registry token may be written into the local CLI debug logs.

Risk And Classification

Primary CVSS: v4.0 1.2 LOW from [email protected]

CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Problem Types: CWE-532 | CWE-532 Insertion of Sensitive Information into Log File | CWE-532 CWE-532 Insertion of Sensitive Information into Log File

Version	Source	Type	Score	Severity	Vector
4.0	[email protected]	Secondary	1.2	LOW	`CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:P/C...`
4.0	CNA	DECLARED	2.4	LOW	`CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:P`
3.1	[email protected]	Secondary	7.2	HIGH	`CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H`
3.1	CNA	DECLARED	7.2	HIGH	`CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H/E:P`

CVSS v4.0 Breakdown

Attack Vector

Local

Attack Complexity

High

Attack Requirements

Present

Privileges Required

High

User Interaction

Passive

Confidentiality

Low

Integrity

None

Availability

None

Sub Conf.

High

Sub Integrity

High

Sub Availability

High

CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Snyk	Snyk Cli	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Na	Snyk	affected 1.1297.3 semver	Not specified

References

Reference	Source	Link	Tags
github.com/snyk/go-application-framework/commit/ca7ba7d72e68455afb466a7a...	[email protected]	github.com	Patch
security.snyk.io/vuln/SNYK-JS-SNYK-10497607	[email protected]	security.snyk.io	Third Party Advisory
docs.snyk.io/snyk-cli/debugging-the-snyk-cli	[email protected]	docs.snyk.io	Technical Description
github.com/snyk/cli/releases/tag/v1.1297.3	[email protected]	github.com	Release Notes
github.com/snyk/cli/commit/38322f377da7e5f1391e1f641710be50989fa4df	[email protected]	github.com	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Snyk Research Team (en)

There are currently no legacy QID mappings associated with this CVE.