Intel

AIKIDO-2026-925299

auth-sanitizer is vulnerable to Information Disclosure

Information Disclosure Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

32

Low Risk

This Affects:

RUBYauth-sanitizer
0.1.0 - 0.1.5
Fixed in 0.2.0
Are you affected? Scan for Free

TL;DR

Auth::Sanitizer::FilteredAttributes#inspect redacts sensitive values so host objects can be printed to logs, exceptions, and consoles safely. Before the fix, the method rebuilt inspect output and only redacted configured names when they were top-level instance variables, so configured names stored inside hash-valued instance variables (for example an adapter model holding attributes in an internal hash) were printed in cleartext. This exposes secrets such as tokens and password digests in standard Ruby hash inspect fragments, including nested hashes. The fix delegates to super.inspect and applies constrained pattern redaction that also covers configured names appearing as symbol or string hash keys.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you rely on FilteredAttributes to redact configured attribute names that can appear inside hash inspect output.

Background info

auth-sanitizer is vulnerable to Information Disclosure in versions 0.1.0 - 0.1.5.

How to fix this

Upgrade the auth-sanitizer library to the patch version.