Skip to content

Authorization header is not sanitized in an error object

Low
lzychowski published GHSA-5jpf-pj32-xx53 Jul 28, 2020

Package

npm auth0 (npm)

Affected versions

<= 2.27.0

Patched versions

2.27.1

Description

Overview

Versions before and including 2.27.0 use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 management API fails, the key for Authorization header is not sanitized and the Authorization header value can be logged exposing a bearer token.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

How to fix that?

Upgrade to version 2.27.1

Will this update impact my users?

The fix provided in patch will not affect your users.

Credit

http://github.com/osdiab

Severity

Low

CVE ID

CVE-2020-15125

Weaknesses

No CWEs

Credits