Skip to content

Security Report: CWE-532 – Plaintext Logging of ACCESS_KEY in Nacos Client (v3.0.0) #13494

New issue
New issue
Closed
Closed
Security Report: CWE-532 – Plaintext Logging of ACCESS_KEY in Nacos Client (v3.0.0)#13494
Labels
area/ClientRelated to Nacos Client SDKcontribution welcomegood first issueGood for newcomerskind/enhancementCategory issues or prs related to enhancement.
Milestone
3.0.2
@KylerKatzUH

Description

@KylerKatzUH
KylerKatzUH
opened on Jun 10, 2025

Hello,

I am reporting a CWE-532 vulnerability that I found in the Nacos client configuration utility logs, where sensitive information, specifically the ACCESS_KEY (an AccessKey ID used for authentication), is disclosed in plain text at the INFO level during the initialization of NacosConfigService. These values are included in a string representation of client properties without desensitization, making them accessible in logs that are typically enabled in production. This exposure risks unauthorized access to Nacos or Alibaba Cloud resources (via the AccessKey ID).

Affected Component: Nacos Client Configuration Logging

  • Version: Nacos 3.0.0
  • File Path:
  • nacos-3.0.0/client-basic/src/main/java/com/alibaba/nacos/client/utils/ClientBasicParamUtil.java
  • nacos-3.0.0/client/src/main/java/com/alibaba/nacos/client/config/NacosConfigService.java
  • Vulnerable Line(s):
  • ClientBasicParamUtil.java: Line 209 (calls appendKeyParameters with PropertyKeyConst.ACCESS_KEY, false)
  • ClientBasicParamUtil.java: Line 224 (appends propertyValue without desensitization for ACCESS_KEY)
  • NacosConfigService.java: Line 77 (logs parameters at INFO level:
  • LOGGER.info(ClientBasicParamUtil.getInputParameters(clientProperties.asProperties()));)
  • CWE ID: CWE-532 (Insertion of Sensitive Information into Log File)

Technical Details

The vulnerability arises in ClientBasicParamUtil.getInputParameters, which constructs a string of configuration parameters from a Properties object. The ACCESS_KEY property is processed without desensitization, unlike PASSWORD and SECRET_KEY, which are masked. The resulting string is logged at the INFO level in NacosConfigService.

Data Flow Summary:

  1. (ClientBasicParamUtil.java, Line 209): PropertyKeyConst.
  • ACCESS_KEY is passed to appendKeyParameters with needDesensitise=false.
  1. (ClientBasicParamUtil.java, Line 218, 224):
  • The propertyKey (ACCESS_KEY) retrieves its value from properties, which is appended to a StringBuilder (result) in plain text.
  1. (ClientBasicParamUtil.java, Line 224, 209, 215):
  • The StringBuilder accumulates key-value pairs, including accessKey=.
  1. (ClientBasicParamUtil.java, Line 215):
  • result.toString() produces the formatted string with the plain-text ACCESS_KEY.
  1. (NacosConfigService.java, Line 77):
  • The string is logged at INFO level: LOGGER.info(ClientBasicParamUtil.getInputParameters(clientProperties.asProperties()));.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/ClientRelated to Nacos Client SDKcontribution welcomegood first issueGood for newcomerskind/enhancementCategory issues or prs related to enhancement.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions