Critical
resolved
resolved
Netlify Authentication Token Exposed in Public Mozilla CI Logs
Bug reported by Samir Sec was disclosed at May 13, 2025, 9:35 am | Information Disclosure
A critical vulnerability was discovered involving the exposure of a Netlify authentication token within publicly accessible logs. The token provided full access to the "Mozilla IT Web SRE" Netlify account, bypassing all restrictions. The token's permissions encompassed roles such as Owner, Developer, Billing Admin, Reviewer, Publisher, and Content Editor, granting complete control over site management, deployments, billing, and content configurations.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
