JWT Token Exposure in Log Download URL

Published: August 2025

Severity: Low

CVSS v3.1 Score: 3.1 (Low)

CWE: CWE-598: Use of GET Request Method With Sensitive Query Strings

Affected Versions: Webswing 22.2 through 23.2.20, and 24.1 through 25.1.3

Fixed In: 23.2.21 LTS, 25.1.4 LTS

Description

In affected Webswing versions, when an administrator downloads log files from the admin console, the request to /rest/logs/session/download includes a JWT token in the URL query string. This token is not the administrator’s session token, but a dedicated, short-lived (30 minutes) token with limited scope, allowing only the log download operation.

While the risk is limited, placing sensitive tokens in the URL may lead to unintentional exposure via browser history, reverse proxy logs, or referrer headers.

Impact

Anyone with access to logged URLs or browser history during the token’s validity window could potentially use the token to download log files. These logs may contain sensitive internal system information.

Resolution

This issue is resolved in:

• 23.2.21 LTS
• 25.1.4 LTS

In these versions, the token is now transmitted via the Authorization header instead of the URL, reducing exposure risk.

Recommendations

Customers running affected versions should upgrade to 23.2.21 or 25.1.4 as appropriate.

Customers with extended support contracts who require a fix for a different major version are encouraged to contact Webswing support.

Discoverer

Jean-Michel Huguet and Jorge Escabias from NATO Cyber Security Center