Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-5jpf-pj32-xx53

GitHub Security Advisory

Authorization header is not sanitized in an error object in auth0

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Overview
Versions before and including `2.27.0` use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 management API fails, the key for `Authorization` header is not sanitized and the `Authorization` header value can be logged exposing a bearer token.

### Am I affected?
You are affected by this vulnerability if all of the following conditions apply:

- You are using `auth0` npm package
- You are using a Machine to Machine application authorized to use Auth0's management API https://auth0.com/docs/flows/concepts/client-credentials

### How to fix that?
Upgrade to version `2.27.1`

### Will this update impact my users?
The fix provided in patch will not affect your users.

### Credit
http://github.com/osdiab

Affected Packages

npm auth0
Affected versions: 0 (fixed in 2.27.1)

Related CVEs

CVE-2020-15125

Key Information

GHSA ID
GHSA-5jpf-pj32-xx53
Published
July 29, 2020 4:26 PM
Last Modified
January 7, 2021 11:44 PM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
auth0
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.