CVE-2020-15125

Name: CVE-2020-15125
Creator: NVD / NIST
Published: 2020-07-29T17:15:13.577+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.7/10EPSS 1.54%

Last modified Jun 17, 2026

CVE-2020-15125 is a high-severity vulnerability rated 7.7/10 on the CVSS scale. In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged exposing a bearer token. EPSS estimates a 1.54% chance of exploitation in the next 30 days.

Description

In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged exposing a bearer token. You are affected by this vulnerability if you are using the auth0 npm package, and you are using a Machine to Machine application authorized to use Auth0's management API

Metrics

CVSS 3.1

7.7/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS Probability

1.54%

71.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Auth0	Auth0.Js	< 2.27.1

References

https://github.com/auth0/node-auth0/pull/507Patch, Third Party Advisory
https://github.com/auth0/node-auth0/pull/507/commits/62ca61b3348ec8e74d7d00358661af1a8bc98a3cPatch, Third Party Advisory
https://github.com/auth0/node-auth0/security/advisories/GHSA-5jpf-pj32-xx53Third Party Advisory
https://github.com/auth0/node-auth0/tree/v2.27.1Release Notes, Third Party Advisory
https://github.com/auth0/node-auth0/pull/507Patch, Third Party Advisory
https://github.com/auth0/node-auth0/pull/507/commits/62ca61b3348ec8e74d7d00358661af1a8bc98a3cPatch, Third Party Advisory
https://github.com/auth0/node-auth0/security/advisories/GHSA-5jpf-pj32-xx53Third Party Advisory
https://github.com/auth0/node-auth0/tree/v2.27.1Release Notes, Third Party Advisory

Timeline

Published: Jul 29, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-15125?

How severe is CVE-2020-15125?

CVE-2020-15125 has a CVSS score of 7.7/10 (HIGH severity). The EPSS model estimates a 1.54% probability of exploitation in the next 30 days.

How do I fix CVE-2020-15125?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-15125?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST