Skip to content

Information disclosure through error object in auth0.js

High severity GitHub Reviewed Published Apr 9, 2020 in auth0/auth0.js • Updated Jan 9, 2023

Package

npm auth0-js (npm)

Affected versions

>= 8.0.0, < 9.13.2

Patched versions

9.13.2

Description

Overview

Between versions 8.0.0 and 9.13.1(inclusive), in the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered.

If the error object is exposed or logged without modification, the application risks password exposure.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

  • You are using Auth0.js version between 8.0.0 and 9.13.1(inclusive).
  • You store or display error objects without filtering.

How to fix that?

Developers should upgrade auth0.js to version 9.13.2 or later where user inputted passwords are masked in errors. If upgrading is not possible, a temporary fix may include not storing the error object or displaying it publicly without modification.

Will this update impact my users?

This fix patches the Auth0.js and may require changes in application code due to password no longer available in error object, but it will not impact your users, their current state, or any existing sessions.

References

@MarcinHoppe MarcinHoppe published to auth0/auth0.js Apr 9, 2020
Reviewed Apr 9, 2020
Published to the GitHub Advisory Database Apr 10, 2020
Last updated Jan 9, 2023

Severity

High

EPSS score

0.063%
(28th percentile)

Weaknesses

CVE ID

CVE-2020-5263

GHSA ID

GHSA-prfq-f66g-43mp

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.