Overview
Versions of auth0
before 2.27.1
use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 management API fails, the key for Authorization
header is not sanitized and the Authorization
header value can be logged exposing a bearer token.
You are affected by this vulnerability if all of the following conditions apply:
- You are using
auth0
npm package - You are using a Machine to Machine application authorized to use Auth0's management API https://auth0.com/docs/flows/concepts/client-credentials
Remediation
Upgrade to version 2.27.1
.
Resources
Have content suggestions? Visit npmjs.com/support.
Advisory timeline
published
Advisory PublishedJul 29th, 2020reported
Reported by Omar DiabJul 29th, 2020