Skip to main content

Auth0

6 CVEs infrastructure

Monthly

CVE-2026-42280 npm HIGH PATCH GHSA This Week

Token validation flaw in Auth0.js SDK versions 8.11.0 through 9.32.0 allows authenticated attackers to retrieve user profile information by submitting a valid access token alongside a crafted invalid ID token, bypassing access control rules defined in Auth0 Actions. The vulnerability affects applications that depend on Auth0 Actions for authorization decisions, potentially exposing sensitive user profile data to attackers holding valid but insufficiently privileged access tokens. Vendor-released patch available in version 10.0.0, discovered through coordinated disclosure by security researcher Quan Le.

Authentication Bypass Auth0
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-40155 npm MEDIUM PATCH GHSA This Month

Authentication bypass in Auth0 Next.js SDK versions 4.12.0 through 4.17.1 allows authenticated users with UI interaction to access sensitive endpoints through improper proxy cache lookups during concurrent nonce retry operations. The vulnerability specifically affects deployments using the proxy handler with DPoP (Demonstration of Proof-of-Possession) enabled, potentially exposing confidential user information via /me/* and /my-org/* endpoints. Vendor-released patch: version 4.18.0.

Authentication Bypass Nextjs Auth0 Auth0
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-34236 PHP HIGH PATCH GHSA This Week

Insufficient entropy in cookie encryption within Auth0 PHP SDK versions 8.0.0 through 8.18.x enables brute-force attacks against session cookie encryption keys, potentially allowing authenticated threat actors with network access to forge arbitrary session cookies and bypass authentication controls. Vendor-released patch available in version 8.19.0. No public exploit identified at time of analysis, though CVSS score of 8.2 reflects high severity due to potential for complete authentication bypass with cross-scope impact.

PHP Information Disclosure Auth0
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-65945 npm HIGH PATCH This Week

auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.

Authentication Bypass Node.js Node Jws Red Hat Auth0
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2017-16897 npm HIGH PATCH This Week

A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library affecting versions < 3.0.5. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Authentication Bypass Passport Wsfed Saml2 Auth0
NVD
CVSS 3.0
8.1
EPSS
0.4%
CVE-2017-17068 npm HIGH POC PATCH This Week

A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions < 8.12. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Auth0 Js Auth0
NVD
CVSS 3.0
7.5
EPSS
0.3%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Token validation flaw in Auth0.js SDK versions 8.11.0 through 9.32.0 allows authenticated attackers to retrieve user profile information by submitting a valid access token alongside a crafted invalid ID token, bypassing access control rules defined in Auth0 Actions. The vulnerability affects applications that depend on Auth0 Actions for authorization decisions, potentially exposing sensitive user profile data to attackers holding valid but insufficiently privileged access tokens. Vendor-released patch available in version 10.0.0, discovered through coordinated disclosure by security researcher Quan Le.

Authentication Bypass Auth0
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Authentication bypass in Auth0 Next.js SDK versions 4.12.0 through 4.17.1 allows authenticated users with UI interaction to access sensitive endpoints through improper proxy cache lookups during concurrent nonce retry operations. The vulnerability specifically affects deployments using the proxy handler with DPoP (Demonstration of Proof-of-Possession) enabled, potentially exposing confidential user information via /me/* and /my-org/* endpoints. Vendor-released patch: version 4.18.0.

Authentication Bypass Nextjs Auth0 Auth0
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Insufficient entropy in cookie encryption within Auth0 PHP SDK versions 8.0.0 through 8.18.x enables brute-force attacks against session cookie encryption keys, potentially allowing authenticated threat actors with network access to forge arbitrary session cookies and bypass authentication controls. Vendor-released patch available in version 8.19.0. No public exploit identified at time of analysis, though CVSS score of 8.2 reflects high severity due to potential for complete authentication bypass with cross-scope impact.

PHP Information Disclosure Auth0
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.

Authentication Bypass Node.js Node Jws +2
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library affecting versions < 3.0.5. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Authentication Bypass Passport Wsfed Saml2 Auth0
NVD
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions < 8.12. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Auth0 Js Auth0
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy