Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

RabbitMQ < 3.13.8 (GHSA-gh3x-4x42-fvq8)

🗓️ 27 Jun 2025 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 7 Views

RabbitMQ versions < 3.13.8 log sensitive headers in plaintext, creating security vulnerabilities.

Related
Refs
Code
ReporterTitlePublishedViews
Family
AlpineLinux		CVE-2025-50200
19 Jun 202517:15
alpinelinux
CBLMariner		CVE-2025-50200 affecting package rabbitmq-server for versions less than 3.13.7-3
14 Nov 202522:03
cbl_mariner
Circl		CVE-2025-50200
19 Jun 202516:45
circl
CNNVD		RabbitMQ 日志信息泄露漏洞
19 Jun 202500:00
cnnvd
CVE		CVE-2025-50200
19 Jun 202516:14
cve
Cvelist		CVE-2025-50200 RabbitMQ Node can log Basic Auth header from an HTTP request
19 Jun 202516:14
cvelist
Debian CVE		CVE-2025-50200
19 Jun 202516:14
debiancve
EUVD		EUVD-2025-18689
3 Oct 202520:07
euvd
Microsoft CVE		RabbitMQ Node can log Basic Auth header from an HTTP request
4 Sep 202511:09
mscve
NVD		CVE-2025-50200
19 Jun 202517:15
nvd
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(240739);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/23");

  script_cve_id("CVE-2025-50200");
  script_xref(name:"IAVA", value:"2025-A-0446");

  script_name(english:"RabbitMQ < 3.13.8 (GHSA-gh3x-4x42-fvq8)");

  script_set_attribute(attribute:"synopsis", value:
"The RabbitMQ installed on the remote host is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
  "RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers 
  in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with 
  all headers in request, including authorization headers which show base64 encoded username:password. This is easy to 
  decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been 
  patched in version 4.0.8.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-gh3x-4x42-fvq8
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b8e3fcc7");
  script_set_attribute(attribute:"solution", value:
"Upgrade to RabbitMQ version 3.13.8 or later.");
  script_set_attribute(attribute:"agent", value:"windows");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-50200");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/06/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/06/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:pivotal_software:rabbitmq");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("vmware_rabbitmq_win_installed.nbin");
  script_require_keys("installed_sw/RabbitMQ");

  exit(0);
}
include('vdf.inc');

# @tvdl-content
var vuln_data = {
  'metadata': {'spec_version': '1.0'},
  'requires': [
    {'scope': 'target', 'match': {'os': 'windows'}}
  ],
  'checks': [
    {
      'product': {'name': 'RabbitMQ', 'type': 'app'},
      'check_algorithm': 'default',
      'constraints': [
        {'min_version': '0.0', 'max_version':'3.13.7', 'fixed_display':'Upgrade to 3.13.8 / 4.0.8 / 4.1.0'}
      ]
    }
  ]
};

var result = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_WARNING);
vdf::handle_check_and_report_errors(vdf_result:result);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Oct 2025 00:00Current
5.4Medium risk
Vulners AI Score5.4
CVSS 3.15.5
CVSS 46.7
EPSS0.00194
SSVC
rabbitmq vulnerabilitylogging headersplaintext authorizationversion 3.13.8base64 encodingsecurity patch
7