CVE-2020-15125: Security Update for node-auth0 Library

Published: July 28, 2020

CVE number: CVE-2020-15125

Credit: Omar Diab (http://github.com/osdiab)

Overview

Versions before and including 2.27.0 use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 management API fails, the key for Authorization header is not sanitized and the Authorization header value can be logged exposing a bearer token.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

  • You are using auth0 npm package.

  • You are using a Machine to Machine application authorized to use Auth0's management API Client Credentials Flow.

How to fix that?

Upgrade to version 2.27.1.

Will this update impact my users?

The fix provided in patch will not affect your users.