Auth0 Node.js Client Library Authorization Header Sanitization Vulnerability

A vulnerability exists in the Auth0 Node.js client library (npm package) in versions prior to 2.27.1. The issue arises in Machine to Machine applications authorized to use Auth0's management API. When an error occurs, the Authorization header is not properly sanitized before being logged, potentially exposing bearer tokens. This vulnerability could be exploited if the logged token is intercepted or accessed by an unauthorized party.

Impact

Exposing bearer tokens in logs, which could lead to unauthorized access if the token is intercepted.

Reproduction

The vulnerability can be reproduced by sending a request to the Auth0 management API that fails, while using the Auth0 Node.js client library version prior to 2.27.1. The error response will contain the Authorization header with the unsanitized bearer token, which can then be observed in the logs.

Remediation

Users should upgrade to Auth0 Node.js client library version 2.27.1 or later.