CVE-2020-15125: Security Update for node-auth0 Library

On this page

Overview
Am I affected?
How to fix that?
Will this update impact my users?

Published: July 28, 2020 CVE number: CVE-2020-15125 Credit: Omar Diab (http://github.com/osdiab)

Overview

Versions before and including 2.27.0 use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 fails, the key for Authorization header is not sanitized and the Authorization header value can be logged exposing a bearer token.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

You are using auth0 npm package.
You are using a Machine to Machine application authorized to use Auth0’s management API Client Credentials Flow.

How to fix that?

Upgrade to version 2.27.1.

Will this update impact my users?

The fix provided in patch will not affect your users.

CVE-2020-15240: Security Update for omniauth-auth0 JWT Validation

CVE-2020-15119: Security Update for Auth0 Lock Library