This is an automated email from the ASF dual-hosted git repository.
traky pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-website.git
The following commit(s) were added to refs/heads/master by this push:
new 43e79840f85 blog: add cve-2025-62232 post (#1971)
43e79840f85 is described below
commit 43e79840f8520a4eea84a4db512615106d2b626d
Author: Ashish Tiwari <[email protected]>
AuthorDate: Thu Nov 6 08:49:06 2025 +0530
blog: add cve-2025-62232 post (#1971)
---
blog/en/blog/2025/10/31/cve-2025-62232.md | 35 +++++++++++++++++++++++++++++++
blog/zh/blog/2025/10/31/cve-2025-62232.md | 35 +++++++++++++++++++++++++++++++
2 files changed, 70 insertions(+)
diff --git a/blog/en/blog/2025/10/31/cve-2025-62232.md
b/blog/en/blog/2025/10/31/cve-2025-62232.md
new file mode 100644
index 00000000000..f6bc997d5c1
--- /dev/null
+++ b/blog/en/blog/2025/10/31/cve-2025-62232.md
@@ -0,0 +1,35 @@
+---
+title: "Insertion of Sensitive Information into Log File (CVE-2025-62232)"
+keywords:
+- Vulnerability
+description: Sensitive data exposure via logging in basic-auth leads to
plaintext usernames and passwords written to error logs and forwarded to log
sinks when log level is INFO/DEBUG. This creates a high risk of credential
compromise through log access.
+tags: [Vulnerabilities]
+image: https://static.api7.ai/uploads/2025/10/31/Y5eZJgtV_CVE-2025-62232.png
+---
+
+> For APISIX versions 1.0 and later, logging in basic-auth leads to plaintext
usernames and passwords written to error logs.
+<!--truncate-->
+
+## Problem Description
+
+Sensitive data exposure in `basic-auth` causes plaintext usernames and
passwords to be written to error logs and forwarded to log sinks when the log
level is set to INFO/DEBUG. This poses a high risk of credential compromise
through log access.
+
+## Affected Versions
+
+This issue affects all Apache APISIX versions starting from 1.0 through 3.14.
+
+## Solution
+
+Users are recommended to upgrade to version 3.14, which fixes this issue.
+
+## Vulnerability details
+
+Severity: Moderate
+
+Vulnerability publication date: October 30, 2025
+
+CVE details: https://nvd.nist.gov/vuln/detail/CVE-2025-62232
+
+## Contributor Profile
+
+This vulnerability was discovered and reported by Mapta / BugBunny_ai. Thank
you for your contribution to the Apache APISIX community.
diff --git a/blog/zh/blog/2025/10/31/cve-2025-62232.md
b/blog/zh/blog/2025/10/31/cve-2025-62232.md
new file mode 100644
index 00000000000..3cc92b417be
--- /dev/null
+++ b/blog/zh/blog/2025/10/31/cve-2025-62232.md
@@ -0,0 +1,35 @@
+---
+title: "将敏感信息插入日志文件 (CVE-2025-62232)"
+keywords:
+- Vulnerability
+description: 通过登录 basic-auth 导致敏感数据暴露,导致明文用户名和密码写入错误日志,并在日志级别为 INFO/DEBUG
时转发到日志接收器。这会通过日志访问造成凭证泄露的高风险。
+tags: [Vulnerabilities]
+image: https://static.api7.ai/uploads/2025/10/31/Y5eZJgtV_CVE-2025-62232.png
+---
+
+> 对于 APISIX 版本 1.0>,登录 `basic-auth` 会导致将明文用户名和密码写入错误日志。
+<!--truncate-->
+
+## 问题描述
+
+通过登录 basic-auth 导致敏感数据暴露,导致明文用户名和密码写入错误日志,并在日志级别为 INFO/DEBUG
时转发到日志接收器。这会通过日志访问造成凭证泄露的高风险。
+
+## 受影响的版本
+
+此问题影响 Apache APISIX 版本:1.0 及 3.14 之前的所有版本。
+
+## 解决方案
+
+建议用户升级到3.14版本,该版本修复了该问题。
+
+## 漏洞详情
+
+严重程度:中等
+
+漏洞公开日期: October 30, 2025
+
+CVE details: https://nvd.nist.gov/vuln/detail/CVE-2025-62232
+
+## Contributor Profile
+
+该漏洞由 Mapta / BugBunny_ai 发现并报告。感谢您对 Apache APISIX 社区的贡献。
