CVE-2020-15125

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-15125

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15125.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-15125

Aliases

GHSA-5jpf-pj32-xx53

Related

GHSA-5jpf-pj32-xx53

Withdrawn

2026-05-04T08:29:04.777055Z

Published

2020-07-29T17:15:13.577Z

Modified

2026-05-04T08:29:04.777055Z

Severity

7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged exposing a bearer token. You are affected by this vulnerability if you are using the auth0 npm package, and you are using a Machine to Machine application authorized to use Auth0's management API

References

Affected packages

Git /

Affected ranges

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "2.27.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "2.27.1"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15125.json"