GHSA-r5w7-f542-q2j4
LOWPotential DoS when using ContextLines integration
Blast Radius
@sentry/node📦@sentry/astro📦@sentry/aws-serverless📦@sentry/bun📦@sentry/google-cloud-serverless📦@sentry/nestjs📦@sentry/nextjs📦@sentry/nuxt+3 moreReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.
Description
Impact
The ContextLines integration uses readable streams to more efficiently use memory when reading files. The ContextLines integration is used to attach source context to outgoing events.
The stream was not explicitly closed after use. This could lead to excessive amounts of file handles open on the system and potentially lead to a Denial of Service (DoS).
The ContextLines integration is enabled by default in the Node SDK (@sentry/node) and SDKs that run in Node.js environments (@sentry/astro, @sentry/aws-serverless, @sentry/bun, @sentry/google-cloud-serverless, @sentry/nestjs, @sentry/nextjs, @sentry/nuxt, @sentry/remix, @sentry/solidstart, @sentry/sveltekit).
Patches
Users should upgrade to version 8.49.0 or higher.
Workarounds
To remediate this issue in affected versions without upgrading to version 8.49.0 and above you can disable the ContextLines integration. See the docs for more details.
Sentry.init({
// ...
integrations: function (integrations) {
// integrations will be all default integrations
return integrations.filter(function (integration) {
return integration.name !== "ContextLines";
});
},
});
If you disable the ContextLines integration, you will lose source context on your error events.
References
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | @sentry/node | ≥ 8.10.0&&< 8.49.0 | 8.49.0 |
| 📦npm | @sentry/astro | ≥ 8.10.0&&< 8.49.0 | 8.49.0 |
| 📦npm | @sentry/aws-serverless | ≥ 8.10.0&&< 8.49.0 | 8.49.0 |
| 📦npm | @sentry/bun | ≥ 8.10.0&&< 8.49.0 | 8.49.0 |
| 📦npm | @sentry/google-cloud-serverless | ≥ 8.10.0&&< 8.49.0 | 8.49.0 |
| 📦npm | @sentry/nestjs | ≥ 8.10.0&&< 8.49.0 | 8.49.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @sentry/node. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @sentry/node to 8.49.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-r5w7-f542-q2j4 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-r5w7-f542-q2j4 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-r5w7-f542-q2j4. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-r5w7-f542-q2j4 in your dependencies?
O3 detects GHSA-r5w7-f542-q2j4 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.