VulnerableCode Package Details - pkg:npm/auth0-js@8.11.0

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/auth0-js@8.11.0

Essentials
History (10)

purl	pkg:npm/auth0-js@8.11.0

Next non-vulnerable version	10.0.0
Latest non-vulnerable version	10.0.0
Risk	4.0

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-53ug-2gch-bqhr Aliases: CVE-2017-17068 GHSA-3rpr-mg43-xhq4	Information Exposure A cross-origin vulnerability has been discovered in auth0. This vulnerability allows an attacker to acquire authenticated user tokens and invoke services on a user's behalf if the target site or application uses a popup callback page with `auth0.popup.callback().`	8.12.0 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-cfu4-873a-rbgv Aliases: CVE-2018-7307 GHSA-wpq7-q8j4-72jg	Cross-Site Request Forgery (CSRF) The Auth0 Authjs library has CSRF because it mishandles the case where the authorization response lacks the state parameter.	9.3.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-edhw-mrxm-u3hy Aliases: CVE-2018-6874 GHSA-wv26-rj8c-4r33	Cross-Site Request Forgery (CSRF) CSRF exists in the Auth0 authentication service when the Legacy Lock API flag is enabled.	8.12.2 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.0.0 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-mwey-ne6v-bkea Aliases: CVE-2026-42280 GHSA-8qjv-jj2q-x832	Auth.js SDK has Improper Permission Checking ### Description Under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. ### Am I Affected? Users are affected if they meet each of the following preconditions: - Applications built using Auth0.js version between 8.11.0 and 9.32.0 - The application’s access control relies on rules defined in Auth0 Actions. ### Affected product and versions auth0.js SDK v8.11.0 to v9.32.0 ### Resolution Upgrade auth0/auth0.js to v10.0.0 or greater. ### Acknowledgements Okta would like to thank Quan Le (@aleister1102) for their discovery and responsible disclosure.	10.0.0 Affected by 0 other vulnerabilities.
VCID-us7k-vw3e-x7f3 Aliases: CVE-2020-5263 GHSA-prfq-f66g-43mp	Insufficiently Protected Credentials In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure.	9.13.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-3jcm-6tna-e7b8	Improper Authentication The Auth0 authentication service allows privilege escalation because the JWT audience field is not validated.	CVE-2018-6873

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-07T20:54:55.924859+00:00	GHSA Importer	Affected by	VCID-mwey-ne6v-bkea	https://github.com/advisories/GHSA-8qjv-jj2q-x832	38.6.0
2026-06-06T23:16:04.589687+00:00	GHSA Importer	Affected by	VCID-edhw-mrxm-u3hy	https://github.com/advisories/GHSA-wv26-rj8c-4r33	38.6.0
2026-06-06T23:10:34.442715+00:00	GHSA Importer	Affected by	VCID-cfu4-873a-rbgv	https://github.com/advisories/GHSA-wpq7-q8j4-72jg	38.6.0
2026-06-06T23:10:20.193930+00:00	GHSA Importer	Affected by	VCID-53ug-2gch-bqhr	https://github.com/advisories/GHSA-3rpr-mg43-xhq4	38.6.0
2026-06-06T08:27:59.100421+00:00	GitLab Importer	Affected by	VCID-mwey-ne6v-bkea	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-js/CVE-2026-42280.yml	38.6.0
2026-06-04T20:29:21.064510+00:00	GitLab Importer	Affected by	VCID-us7k-vw3e-x7f3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-js/CVE-2020-5263.yml	38.6.0
2026-06-04T20:11:45.354461+00:00	GitLab Importer	Affected by	VCID-edhw-mrxm-u3hy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-js/CVE-2018-6874.yml	38.6.0
2026-06-04T20:11:25.351740+00:00	GitLab Importer	Affected by	VCID-cfu4-873a-rbgv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-js/CVE-2018-7307.yml	38.6.0
2026-06-04T20:10:24.694412+00:00	GitLab Importer	Affected by	VCID-53ug-2gch-bqhr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-js/CVE-2017-17068.yml	38.6.0
2026-06-02T04:37:38.077638+00:00	GitLab Importer	Fixing	VCID-3jcm-6tna-e7b8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-js/CVE-2018-6873.yml	38.6.0