Security Bug Report - Bun response headers leaked via transaction context (Set-Cookie exfiltration) #19790
Description
A new security bug report has been reported by the bug bounty program.
Gemini Analysis Result
Possible code path of the root cause: None
Possible reason: The bug report indicates that response headers are being serialized into performance telemetry and captured in transaction payloads. getCapturedScopesOnSpan stores data into isolationScope and this scope is merged into emitted events, which are related to performance telemetry. The CODEOWNERS file has entries under /src/sentry/api/endpoints/organization_events_spans_performance.py and related paths which point to the getsentry/data-browsing team. This team seems likely to own code that captures and serializes span data, making them the most likely owner.
Possible owner: getsentry/data-browsing
Confidence score: 65
** If you believe the issue is incorrectly assigned, please assign it to the correct team or let the security team know. Thank you!**
To reduce risk of accidental information disclosure, we are intentionally not exposing full vulnerability details here
Please see the parent ticket for the full report: VULN-1305