Notorious Penguin Magicians
Severity: low

Information Exposure



Versions of auth0 before 2.27.1 use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 management API fails, the key for Authorization header is not sanitized and the Authorization header value can be logged exposing a bearer token.

You are affected by this vulnerability if all of the following conditions apply:


Upgrade to version 2.27.1.


Have content suggestions? Visit

Advisory timeline

  1. published

    Advisory Published
    Jul 29th, 2020
  2. reported

    Reported by Omar Diab
    Jul 29th, 2020