posthog is vulnerable to Sensitive Information Disclosure
50
Medium Risk
PostHog's exception autocapture can record the values of local variables from each application stack frame when capture_exception_code_variables is enabled. Variable-name masking is applied, but string values that contain credentials embedded in URLs, DSNs, or connection strings are captured verbatim, and custom objects are serialized through repr() without redacting sensitive attributes. As a result secrets such as database passwords and connection-string credentials can be included in the exception payloads sent to the configured error-tracking destination and become visible to anyone with access to it. The fix scrubs user:pass credentials from connection strings, traverses objects to redact fields like password by attribute name, and enables this masking by default.
You are affected if you are using a version that falls within the vulnerable range and have enabled exception code variable capture.
posthog is vulnerable to Sensitive Information Disclosure in versions 6.9.0 - 7.20.1.
Upgrade the posthog and/or the posthoganalytics library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant