Aikido Intel
Secure My Code
Intel

AIKIDO-2026-502216

posthog-js is vulnerable to Exposure of Sensitive Information

Exposure of Sensitive Information Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

43

Medium Risk

This Affects:

JSposthog-js
1.127.0 - 1.391.6
Fixed in 1.391.7
Are you affected? Scan for Free

TL;DR

The session replay network capture feature in posthog-js redacts credential-bearing headers before storing network requests in recordings. The redaction runs only on request headers and only matches an exact deny list, so response headers such as set-cookie and credential-shaped custom header names like x-gist-encoded-user-token are captured verbatim. This places user tokens, cookies, and other secrets in plaintext inside session recordings. The fix redacts denied headers on both request and response and matches credential-shaped header names by substring.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you have session replay network header capture enabled.

Background info

posthog-js is vulnerable to Exposure of Sensitive Information in versions 1.127.0 - 1.391.6.

How to fix this

Upgrade the posthog-js library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done