Use of GET Request Method With Sensitive Query Strings Affecting jleehr/canto-saas-api package, versions <3.0.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-JLEEHRCANTOSAASAPI-17660430
  • published27 Jun 2026
  • disclosed19 Jun 2026
  • creditjleehr

Introduced: 19 Jun 2026

NewCVE-2026-55375  (opens in a new tab)
CWE-209  (opens in a new tab)
CWE-598  (opens in a new tab)

How to fix?

Upgrade jleehr/canto-saas-api to version 3.0.0 or higher.

Overview

Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings in the process of handling OAuth2 token requests, where sensitive credentials such as app_id, app_secret, refresh_token, and code are included in the URL query string and exception messages. An attacker can gain unauthorized access to confidential information by obtaining access to web server logs, proxy logs, APM tracing data, or application error logs that record these credentials.

Workaround

This vulnerability can be mitigated by restricting access to logs containing OAuth credentials and by catching and sanitizing exception messages before logging or forwarding them.

References

CVSS Base Scores

version 4.0
version 3.1