保護DataHogo
Security Encyclopedia/Error & Logging Best Practices
mediumCWE-532A09:2021

Console.log of Sensitive Data

Logging passwords, tokens, full user objects, or payment data to the console sends that data to your log aggregator in plaintext.

How It Works

console.log() in Node.js writes to stdout, which is captured by every log aggregator (CloudWatch, Datadog, Splunk). If you log a user object that includes passwordHash or an auth token during debugging and forget to remove it, everyone with log access sees it. Log access is often much broader than database access.

Vulnerable Code
// BAD: logging full user objects or sensitive fields
console.log('Login attempt:', { email, password }); // password in logs!
console.log('User session:', user); // user.passwordHash in logs!
console.log('Payment:', { amount, cardNumber }); // PAN in logs!
Secure Code
// GOOD: log only non-sensitive identifiers and status
console.log('Login attempt for:', email); // email only, no password
console.log('Session created for userId:', user.id); // id only
console.log('Payment processed:', { amount, last4: card.last4 }); // last 4 only

Real-World Example

A 2021 Twitch breach analysis revealed that internal logs containing user session tokens were included in the leaked data. Any developer with log access before the breach could have seen active session tokens for any user.

How to Prevent It

  • Use a structured logger (Pino, Winston) with built-in redaction for sensitive field names
  • Never log password, passwordHash, token, secret, cardNumber, ssn, or similar fields
  • Audit all console.log statements before production deploys — your linter should flag these
  • Use user IDs and anonymized identifiers in logs, not full user objects

Affected Technologies

Node.jsjavascript

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Stack Traces Exposed to User

medium

Returning stack traces or internal error details in API responses reveals your file structure, library versions, and code paths to attackers.

CWE-209A05:2021

No React Error Boundary

low

Without error boundaries, a JavaScript error in any component crashes the entire React tree and shows a blank screen to the user.

CWE-392

Insufficient Security Logging

low

Not logging security events (failed logins, permission denials, suspicious actions) means you can't detect attacks in progress or reconstruct what happened after a breach.

CWE-778A09:2021

PII in Logs

medium

Logging personally identifiable information (email, full name, IP address, phone number) creates privacy and compliance risks under GDPR and CCPA.

CWE-532A09:2021