Auth0.js Information Disclosure Vulnerability in Error Object

A vulnerability exists in the Auth0.js library (NPM package auth0-js) in versions greater than 8.0.0 and prior to 9.12.3. When an authentication error occurs, the error object returned by the library includes the original user request, which may contain plaintext passwords. If this error object is exposed or logged without modification, there is a risk of password exposure.

Impact

Exposing plaintext passwords through unfiltered error objects can lead to unauthorized access and credential theft.

Reproduction

To reproduce this vulnerability, use Auth0.js version 8.0.0 through 9.12.3 and trigger an authentication error. The error object will contain the original request data, including any plaintext password. If this error object is logged or exposed without modification, the password will be visible.

Remediation

Upgrade Auth0.js to version 9.12.3 or later, where passwords are masked in error objects. If an immediate upgrade is not possible, avoid logging or storing error objects publicly without modification.