sentry-sdk is vulnerable to Insertion of Sensitive Information Into Sent Data
25
Low Risk
Several HTTP integrations in the Sentry Python SDK record URL-derived span attributes such as url.full, url.path, url.query, and url.fragment when the experimental span-streaming trace lifecycle (trace_lifecycle set to stream) is enabled. In that mode these attributes are recorded on incoming request and outgoing client spans without checking send_default_pii, so full request URLs, path segments, and query strings are captured even when default PII collection is disabled. Query strings and paths can contain sensitive values such as tokens, session identifiers, or user identifiers, which are then transmitted to Sentry against the user's opt-out. The fix gates these URL attributes behind should_send_default_pii() so they are recorded only when PII collection is explicitly enabled.
You are affected if you are using a version that falls within the vulnerable range with the experimental span-streaming trace lifecycle enabled (_experiments={"trace_lifecycle": "stream"}) and one of the affected HTTP integrations (such as aiohttp, httpx, wsgi, stdlib, tornado, sanic, boto3, or pyreqwest) active.
sentry-sdk is vulnerable to Insertion of Sensitive Information Into Sent Data in versions 2.59.0 - 2.63.0.
Upgrade the sentry-sdk library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant