Nhost, an open source Firebase alternative, allows users to authenticate via OAuth providers. A flaw in the OAuth callback flow before version 0.48.0 places the refresh token directly into the redirect URL as a query parameter. Because URLs can be logged by browsers, servers, and network devices, the refresh token becomes exposed in browser history, server logs, HTTP referer headers, and proxy or CDN logs. This leakage could allow an attacker who gains access to any of those logs to harvest a one‑time use refresh token and then use it to obtain a new access token, thereby gaining unauthorized access to user accounts and protected resources, compromising confidentiality.

Vendors: Nhost. Product: Nhost authentication service. Affected versions: any release before 0.48.0 that implements the OAuth provider callback flow. The vulnerability is resolved in version 0.48.0 and later.

CVSS score is 2.3, indicating low overall severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. The vulnerability can be exploited through the normal OAuth login process; an attacker only needs to observe server, CDN, or proxy logs to capture the leaked token. Because refresh tokens are one‑time use, the window of exploitation is narrow, but compromised tokens still enable access to user resources until invalidated. The risk is moderate for environments that retain logs and expose them to attackers or insiders.