Security Update: NR20-02 for Node.js Agent

Even when users configure the Node.js agent to exclude the request.uri attribute, the agent will still capture the URI in transaction traces. This allows authenticated account users to view the URI anywhere transaction trace details can be viewed via New Relic One or queries. This includes (but is not limited to) the “Transaction traces” section of the Transactions page, the Transaction trace details modal, and the Query builder.


Mitigating factors

  • This will only affect Node.js agents configured to exclude the request.uri attribute.