Changelog for version 5.8.9#
Released 11 December 2025#
Gravwell#
Attention
This release contains a high priority bug fix for a security violation where secrets were not properly masked in error messages when running scripts. Secrets may be exposed in notifications or stored in log messages as a result of the script. See the remediation and validation section below.
Additions#
Added a flag in the regex module to enable array mode, which extracts all matches of each capture group into array enumerated values.
Added an
evs_to_json()function to the eval module to return a JSON object of all the EVs on a given entry.
Bug Fixes#
Fixed an issue where secrets were not properly masked in error messages when running scripts.
Fixed an issue where the tooltip was incorrect for cron specs with multiple hour ranges.
Fixed an issue where the webserver could sometimes lock-up when using direct search with a query attempting to write to a read-only resource.
Ingester Changes#
Additions#
Added a Regex Replace Preprocessor to perform regular expression-based find and replace operations on entry data.
Bug Fixes#
Fixed version numbers on macOS ingesters.
Remediation and Validation#
The secret leakage occurs when a script directly embeds a secret into an error message and returns the error during execution. Secrets are and were properly masked if the error messages were simply printed as debug messages in the script but were not properly masked during the error handling logic. We have found a few instances where this bug could expose secrets:
A script deliberately creates an error message with the embedded secret and returns it.
A script embeds a secret as part of an SQL connection string and then fails to connect to an SQL server then returns the SQL connection error.
A script uses a secret as part of a hostname for a connection string and a DNS lookup fails.
Unfortunately error messages from scripts are logged to the gravwell tag which further exacerbates the leak. Gravwell highly recommends users change secrets which have been used in the SQL and network connection strings in scripts.
To validate if secrets have been leaked as a result of scripts returning them in errors, the following query will identify errors strings from scripts:
tag=gravwell syslog -s Appname == searchagent Message == error name error
| table TIMESTAMP error
To check a specific script filter on the name EV.
tag=gravwell syslog -s Appname == searchagent Message == error name=="test" error
| table TIMESTAMP error