Overview
Versions before and including 2.27.0
use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 management API fails, the key for Authorization
header is not sanitized and the Authorization
header value can be logged exposing a bearer token.
Am I affected?
You are affected by this vulnerability if all of the following conditions apply:
How to fix that?
Upgrade to version 2.27.1
Will this update impact my users?
The fix provided in patch will not affect your users.
Credit
http://github.com/osdiab
Overview
Versions before and including
2.27.0
use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 management API fails, the key forAuthorization
header is not sanitized and theAuthorization
header value can be logged exposing a bearer token.Am I affected?
You are affected by this vulnerability if all of the following conditions apply:
auth0
npm packageHow to fix that?
Upgrade to version
2.27.1
Will this update impact my users?
The fix provided in patch will not affect your users.
Credit
http://github.com/osdiab