CVE-2020-15125: Security Update for node-auth0 Library
Published: July 28, 2020
CVE number: CVE-2020-15125
Credit: Omar Diab (http://github.com/osdiab)
Overview
Versions before and including 2.27.0 use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 management API fails, the key for Authorization
header is not sanitized and the Authorization
header value can be logged exposing a bearer token.
Am I affected?
You are affected by this vulnerability if all of the following conditions apply:
You are using auth0 npm package.
You are using a Machine to Machine application authorized to use Auth0's management API Client Credentials Flow.
How to fix that?
Upgrade to version 2.27.1.
Will this update impact my users?
The fix provided in patch will not affect your users.