GCVE - cpe:2.3:a:auth0:auth0.js:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:auth0:auth0.js:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Auth0 (`bd827468-a826-51d4-9e05-912ec56b4756`)
Product	Auth0.Js (`6adc3c3c-d472-5975-8752-ab19ca2fb831`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/auth0/auth0.js`	purl2cpe	2026-06-01 10:16:14.391014
`pkg:npm/auth0.js`	purl2cpe	2026-06-01 10:16:14.391017

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-42280`	vulnerable	2026-06-03 15:25:00.904851	Improper Permission Checking in Auth.js SDK HIGH (7.1) Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0. Published: 2026-05-27T14:39:15.789Z Updated: 2026-05-28T15:36:56.102Z Open on db.gcve.eu Reference links https://github.com/auth0/auth0.js/security/advisories/GHSA-8qjv-jj2q-x832	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-5263`	vulnerable	2026-06-03 14:42:55.386991	Information disclosure through error object MEDIUM (5.5) auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3 Published: 2020-04-09T15:50:12.000Z Updated: 2024-08-04T08:22:09.088Z Open on db.gcve.eu Reference links https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-15125`	vulnerable	2026-06-03 14:41:45.289054	Authorization header is not sanitized in an error object in auth0 HIGH (7.7) In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged exposing a bearer token. You are affected by this vulnerability if you are using the auth0 npm package, and you are using a Machine to Machine application authorized to use Auth0's management API Published: 2020-07-29T16:25:15.000Z Updated: 2024-08-04T13:08:22.304Z Open on db.gcve.eu Reference links https://github.com/auth0/node-auth0/security/advisories/GHSA-5jpf-pj32-xx53 https://github.com/auth0/node-auth0/pull/507 https://github.com/auth0/node-auth0/pull/507/commits/62ca61b3348ec8e74d7d00358661af1a8bc98a3c https://github.com/auth0/node-auth0/tree/v2.27.1	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-7307`	vulnerable	2026-06-03 14:39:06.809276	Details available The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter. Published: 2018-03-06T15:00:00.000Z Updated: 2024-08-05T06:24:11.872Z Open on db.gcve.eu Reference links https://auth0.com/docs/security/bulletins/cve-2018-7307	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-6874`	vulnerable	2026-06-03 14:39:00.880337	Details available CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled. Published: 2018-04-04T17:00:00.000Z Updated: 2024-08-05T06:17:16.763Z Open on db.gcve.eu Reference links https://auth0.com/docs/security/bulletins/cve-2018-6874 http://www.securityfocus.com/bid/103695	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-6873`	vulnerable	2026-06-03 14:39:00.879929	Details available The Auth0 authentication service before 2017-10-15 allows privilege escalation because the JWT audience is not validated. Published: 2018-04-04T17:00:00.000Z Updated: 2024-08-05T06:17:16.585Z Open on db.gcve.eu Reference links http://www.securityfocus.com/bid/103695 https://auth0.com/docs/security/bulletins/cve-2018-6873	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-17068`	vulnerable	2026-06-03 14:36:53.883493	Details available A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions < 8.12. This vulnerability allows an attacker to acquire authenticated users' tokens and invoke services on a user's behalf if the target site or application uses a popup callback page with auth0.popup.callback(). Published: 2017-12-06T19:00:00.000Z Updated: 2024-08-05T20:43:59.695Z Open on db.gcve.eu Reference links https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068/ https://auth0.com/docs/security/bulletins/cve-2017-17068	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.