[GH-ISSUE #198] Logs expose credentials - Vulnerability #67

New issue

Closed

opened 2026-02-26 12:40:04 +03:00 by kerem · 1 comment

kerem commented

2026-02-26 12:40:04 +03:00

Owner

Originally created by @gdeeble on GitHub (Oct 18, 2025).
Original GitHub issue: https://github.com/community-scripts/ProxmoxVE-Local/issues/198

✅ Have you read and understood the above guidelines?

yes

📝 Provide a clear and concise description of the issue.

This isn't actually a bug but more of a security vulnerability item. When posting usernames and passwords or SSH keys and passwords, the log exposes them in plain text. This can be considered a security vulnerability, and should be addressed.

When adding my servers to the app, I received an error due to the port not being an integer(another report), I was able to check the log and see in plain text my credentials for each of the servers.

🔄 Steps to reproduce the issue.

Add a server
Cause an error on the page
Check System Logs
See plaintext password

❌ Paste the full error output (if available).

Oct 18 13:05:07 pve-scripts-local npm[2878]: Invalid prisma.server.create() invocation:
Oct 18 13:05:07 pve-scripts-local npm[2878]: {
Oct 18 13:05:07 pve-scripts-local npm[2878]: data: {
Oct 18 13:05:07 pve-scripts-local npm[2878]: name: "Server",
Oct 18 13:05:07 pve-scripts-local npm[2878]: ip: "x.x.x.x",
Oct 18 13:05:07 pve-scripts-local npm[2878]: user: "redacted",
Oct 18 13:05:07 pve-scripts-local npm[2878]: password: "redacted",
Oct 18 13:05:07 pve-scripts-local npm[2878]: auth_type: "password",
Oct 18 13:05:07 pve-scripts-local npm[2878]: ssh_key: "",
Oct 18 13:05:07 pve-scripts-local npm[2878]: ssh_key_passphrase: "",
Oct 18 13:05:07 pve-scripts-local npm[2878]: ssh_port: "22",
Oct 18 13:05:07 pve-scripts-local npm[2878]: ~~~~
Oct 18 13:05:07 pve-scripts-local npm[2878]: ssh_key_path: null,
Oct 18 13:05:07 pve-scripts-local npm[2878]: key_generated: false,
Oct 18 13:05:07 pve-scripts-local npm[2878]: color: "#3b82f6"
Oct 18 13:05:07 pve-scripts-local npm[2878]: }
Oct 18 13:05:07 pve-scripts-local npm[2878]: }

🖼️ Additional context (optional).

There may need be a layer between the app and the log that can redact credentials to prevent a potential attack surface if someone was able to expose those logs.

Originally created by @gdeeble on GitHub (Oct 18, 2025). Original GitHub issue: https://github.com/community-scripts/ProxmoxVE-Local/issues/198 ### ✅ Have you read and understood the above guidelines? yes ### 📝 Provide a clear and concise description of the issue. This isn't actually a bug but more of a security vulnerability item. When posting usernames and passwords or SSH keys and passwords, the log exposes them in plain text. This can be considered a security vulnerability, and should be addressed. When adding my servers to the app, I received an error due to the port not being an integer(another report), I was able to check the log and see in plain text my credentials for each of the servers. ### 🔄 Steps to reproduce the issue. 1) Add a server 2) Cause an error on the page 3) Check System Logs 4) See plaintext password ### ❌ Paste the full error output (if available). Oct 18 13:05:07 pve-scripts-local npm[2878]: Invalid `prisma.server.create()` invocation: Oct 18 13:05:07 pve-scripts-local npm[2878]: { Oct 18 13:05:07 pve-scripts-local npm[2878]: data: { Oct 18 13:05:07 pve-scripts-local npm[2878]: name: "Server", Oct 18 13:05:07 pve-scripts-local npm[2878]: ip: "x.x.x.x", Oct 18 13:05:07 pve-scripts-local npm[2878]: user: "redacted", Oct 18 13:05:07 pve-scripts-local npm[2878]: password: "redacted", Oct 18 13:05:07 pve-scripts-local npm[2878]: auth_type: "password", Oct 18 13:05:07 pve-scripts-local npm[2878]: ssh_key: "", Oct 18 13:05:07 pve-scripts-local npm[2878]: ssh_key_passphrase: "", Oct 18 13:05:07 pve-scripts-local npm[2878]: ssh_port: "22", Oct 18 13:05:07 pve-scripts-local npm[2878]: ~~~~ Oct 18 13:05:07 pve-scripts-local npm[2878]: ssh_key_path: null, Oct 18 13:05:07 pve-scripts-local npm[2878]: key_generated: false, Oct 18 13:05:07 pve-scripts-local npm[2878]: color: "#3b82f6" Oct 18 13:05:07 pve-scripts-local npm[2878]: } Oct 18 13:05:07 pve-scripts-local npm[2878]: } ### 🖼️ Additional context (optional). There may need be a layer between the app and the log that can redact credentials to prevent a potential attack surface if someone was able to expose those logs.