保護DataHogo
Security Encyclopedia/Serverless & Cloud
highCWE-532A09:2021

Environment Variables in Logs

Logging process.env dumps all your secrets — API keys, database passwords, signing keys — directly into your log system.

How It Works

process.env is a flat object containing every environment variable. A single console.log(process.env) during debugging, if left in production code, broadcasts all your secrets to CloudWatch, Datadog, or whatever log aggregator you use. Anyone with log read access now has your production credentials.

Vulnerable Code
// BAD: logging the entire env object exposes every secret
console.log('Starting with config:', process.env);
console.log('Debug info:', { env: process.env, request: req.body });
Secure Code
// GOOD: log only the specific non-sensitive values you need
console.log('Starting with config:', {
  NODE_ENV: process.env.NODE_ENV,
  PORT: process.env.PORT,
  // never log _KEY, _SECRET, _PASSWORD, _TOKEN
});

Real-World Example

A 2022 incident at a payments startup exposed their Stripe secret key and database password in Datadog logs. A disgruntled contractor with log access used the credentials to exfiltrate customer payment data.

How to Prevent It

  • Never log process.env, even in development — log specific safe keys explicitly
  • Add a log scrubbing middleware that redacts patterns matching *_KEY, *_SECRET, *_PASSWORD, *_TOKEN
  • Configure your logger (Winston, Pino) with a redact option for sensitive field names
  • Audit your logs regularly for accidental secret exposure

Affected Technologies

Node.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Function Timeout Abuse

medium

Serverless functions without a configured timeout can be kept running indefinitely by malicious or malformed requests, draining your budget.

CWE-400A05:2021

Over-privileged IAM Roles

medium

Giving serverless functions or services more IAM permissions than they need turns a minor breach into a full account compromise.

CWE-269A01:2021

Shared /tmp State

medium

Serverless functions reuse execution environments between invocations, so sensitive files written to /tmp can be read by later requests from different users.

CWE-377A02:2021

Cold Start State Leak

medium

Global variables in serverless functions persist across invocations in the same execution environment, leaking user data between requests.

CWE-400A02:2021