Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/54751?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/54751?format=api", "purl": "pkg:npm/auth0-js@8.12.0", "type": "npm", "namespace": "", "name": "auth0-js", "version": "8.12.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "10.0.0", "latest_non_vulnerable_version": "10.0.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39462?format=api", "vulnerability_id": "VCID-cfu4-873a-rbgv", "summary": "Cross-Site Request Forgery (CSRF)\nThe Auth0 Authjs library has CSRF because it mishandles the case where the authorization response lacks the state parameter.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-7307", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00203", "scoring_system": "epss", "scoring_elements": "0.42284", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00203", "scoring_system": "epss", "scoring_elements": "0.42344", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00203", "scoring_system": "epss", "scoring_elements": "0.42359", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00203", "scoring_system": "epss", "scoring_elements": "0.42371", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-7307" }, { "reference_url": "https://github.com/advisories/GHSA-wpq7-q8j4-72jg", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wpq7-q8j4-72jg" }, { "reference_url": "https://auth0.com/docs/security/bulletins/cve-2018-7307", "reference_id": "CVE-2018-7307", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://auth0.com/docs/security/bulletins/cve-2018-7307" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7307", "reference_id": "CVE-2018-7307", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7307" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55126?format=api", "purl": "pkg:npm/auth0-js@9.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mwey-ne6v-bkea" }, { "vulnerability": "VCID-us7k-vw3e-x7f3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/auth0-js@9.3.0" } ], "aliases": [ "CVE-2018-7307", "GHSA-wpq7-q8j4-72jg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cfu4-873a-rbgv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39534?format=api", "vulnerability_id": "VCID-edhw-mrxm-u3hy", "summary": "Cross-Site Request Forgery (CSRF)\nCSRF exists in the Auth0 authentication service when the Legacy Lock API flag is enabled.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-6874", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38372", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38344", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38281", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38369", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-6874" }, { "reference_url": "https://github.com/advisories/GHSA-wv26-rj8c-4r33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wv26-rj8c-4r33" }, { "reference_url": "http://www.securityfocus.com/bid/103695", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.securityfocus.com/bid/103695" }, { "reference_url": "https://auth0.com/docs/security/bulletins/cve-2018-6874", "reference_id": "CVE-2018-6874", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://auth0.com/docs/security/bulletins/cve-2018-6874" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6874", "reference_id": "CVE-2018-6874", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6874" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55316?format=api", "purl": "pkg:npm/auth0-js@8.12.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cfu4-873a-rbgv" }, { "vulnerability": "VCID-edhw-mrxm-u3hy" }, { "vulnerability": "VCID-mwey-ne6v-bkea" }, { "vulnerability": "VCID-us7k-vw3e-x7f3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/auth0-js@8.12.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/143744?format=api", "purl": "pkg:npm/auth0-js@9.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cfu4-873a-rbgv" }, { "vulnerability": "VCID-mwey-ne6v-bkea" }, { "vulnerability": "VCID-us7k-vw3e-x7f3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/auth0-js@9.0.0" } ], "aliases": [ "CVE-2018-6874", "GHSA-wv26-rj8c-4r33" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-edhw-mrxm-u3hy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95393?format=api", "vulnerability_id": "VCID-mwey-ne6v-bkea", "summary": "Auth.js SDK has Improper Permission Checking\n### Description\nUnder specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided.\n\n### Am I Affected?\nUsers are affected if they meet each of the following preconditions:\n- Applications built using Auth0.js version between 8.11.0 and 9.32.0\n- The application’s access control relies on rules defined in Auth0 Actions.\n\n\n### Affected product and versions\nauth0.js SDK v8.11.0 to v9.32.0\n\n### Resolution\nUpgrade auth0/auth0.js to v10.0.0 or greater.\n\n### Acknowledgements\nOkta would like to thank Quan Le (@aleister1102) for their discovery and responsible disclosure.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42280", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.1346", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13493", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.135", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42280" }, { "reference_url": "https://github.com/auth0/auth0.js", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/auth0/auth0.js" }, { "reference_url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-8qjv-jj2q-x832", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T15:36:47Z/" } ], "url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-8qjv-jj2q-x832" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42280", "reference_id": "CVE-2026-42280", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42280" }, { "reference_url": "https://github.com/advisories/GHSA-8qjv-jj2q-x832", "reference_id": "GHSA-8qjv-jj2q-x832", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8qjv-jj2q-x832" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/119458?format=api", "purl": "pkg:npm/auth0-js@10.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/auth0-js@10.0.0" } ], "aliases": [ "CVE-2026-42280", "GHSA-8qjv-jj2q-x832" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mwey-ne6v-bkea" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52498?format=api", "vulnerability_id": "VCID-us7k-vw3e-x7f3", "summary": "Insufficiently Protected Credentials\nIn the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-5263", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00231", "scoring_system": "epss", "scoring_elements": "0.46038", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00231", "scoring_system": "epss", "scoring_elements": "0.45989", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00231", "scoring_system": "epss", "scoring_elements": "0.46058", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00231", "scoring_system": "epss", "scoring_elements": "0.4606", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-5263" }, { "reference_url": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828" }, { "reference_url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5263", "reference_id": "CVE-2020-5263", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5263" }, { "reference_url": "https://github.com/advisories/GHSA-prfq-f66g-43mp", "reference_id": "GHSA-prfq-f66g-43mp", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-prfq-f66g-43mp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77100?format=api", "purl": "pkg:npm/auth0-js@9.13.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mwey-ne6v-bkea" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/auth0-js@9.13.2" } ], "aliases": [ "CVE-2020-5263", "GHSA-prfq-f66g-43mp" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-us7k-vw3e-x7f3" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39199?format=api", "vulnerability_id": "VCID-53ug-2gch-bqhr", "summary": "Information Exposure\nA cross-origin vulnerability has been discovered in auth0. This vulnerability allows an attacker to acquire authenticated user tokens and invoke services on a user's behalf if the target site or application uses a popup callback page with `auth0.popup.callback().`", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-17068", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.56084", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.56132", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.56144", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.56138", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-17068" }, { "reference_url": "https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068" }, { "reference_url": "https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068/" }, { "reference_url": "https://github.com/advisories/GHSA-3rpr-mg43-xhq4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3rpr-mg43-xhq4" }, { "reference_url": "https://auth0.com/docs/security/bulletins/cve-2017-17068", "reference_id": "CVE-2017-17068", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://auth0.com/docs/security/bulletins/cve-2017-17068" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17068", "reference_id": "CVE-2017-17068", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17068" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54751?format=api", "purl": "pkg:npm/auth0-js@8.12.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cfu4-873a-rbgv" }, { "vulnerability": "VCID-edhw-mrxm-u3hy" }, { "vulnerability": "VCID-mwey-ne6v-bkea" }, { "vulnerability": "VCID-us7k-vw3e-x7f3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/auth0-js@8.12.0" } ], "aliases": [ "CVE-2017-17068", "GHSA-3rpr-mg43-xhq4" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-53ug-2gch-bqhr" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/auth0-js@8.12.0" }