VulnerableCode Package Details - pkg:npm/auth0-js@9.0.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-cfu4-873a-rbgv Aliases: CVE-2018-7307 GHSA-wpq7-q8j4-72jg	Cross-Site Request Forgery (CSRF) The Auth0 Authjs library has CSRF because it mishandles the case where the authorization response lacks the state parameter.	9.3.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-mwey-ne6v-bkea Aliases: CVE-2026-42280 GHSA-8qjv-jj2q-x832	Auth.js SDK has Improper Permission Checking ### Description Under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. ### Am I Affected? Users are affected if they meet each of the following preconditions: - Applications built using Auth0.js version between 8.11.0 and 9.32.0 - The application’s access control relies on rules defined in Auth0 Actions. ### Affected product and versions auth0.js SDK v8.11.0 to v9.32.0 ### Resolution Upgrade auth0/auth0.js to v10.0.0 or greater. ### Acknowledgements Okta would like to thank Quan Le (@aleister1102) for their discovery and responsible disclosure.	10.0.0 Affected by 0 other vulnerabilities.
VCID-us7k-vw3e-x7f3 Aliases: CVE-2020-5263 GHSA-prfq-f66g-43mp	Insufficiently Protected Credentials In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure.	9.13.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-cfu4-873a-rbgv
Aliases:
CVE-2018-7307
GHSA-wpq7-q8j4-72jg

Cross-Site Request Forgery (CSRF) The Auth0 Authjs library has CSRF because it mishandles the case where the authorization response lacks the state parameter.

9.3.0
Affected by 2 other vulnerabilities.

VCID-mwey-ne6v-bkea
Aliases:
CVE-2026-42280
GHSA-8qjv-jj2q-x832

Auth.js SDK has Improper Permission Checking ### Description Under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. ### Am I Affected? Users are affected if they meet each of the following preconditions: - Applications built using Auth0.js version between 8.11.0 and 9.32.0 - The application’s access control relies on rules defined in Auth0 Actions. ### Affected product and versions auth0.js SDK v8.11.0 to v9.32.0 ### Resolution Upgrade auth0/auth0.js to v10.0.0 or greater. ### Acknowledgements Okta would like to thank Quan Le (@aleister1102) for their discovery and responsible disclosure.

10.0.0
Affected by 0 other vulnerabilities.

VCID-us7k-vw3e-x7f3
Aliases:
CVE-2020-5263
GHSA-prfq-f66g-43mp

Insufficiently Protected Credentials In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure.

9.13.2
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T23:10:34.529687+00:00	GHSA Importer	Affected by	VCID-cfu4-873a-rbgv	https://github.com/advisories/GHSA-wpq7-q8j4-72jg	38.6.0
2026-06-06T08:27:59.181032+00:00	GitLab Importer	Affected by	VCID-mwey-ne6v-bkea	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-js/CVE-2026-42280.yml	38.6.0
2026-06-04T20:29:21.150240+00:00	GitLab Importer	Affected by	VCID-us7k-vw3e-x7f3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-js/CVE-2020-5263.yml	38.6.0
2026-06-04T20:11:25.389326+00:00	GitLab Importer	Affected by	VCID-cfu4-873a-rbgv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-js/CVE-2018-7307.yml	38.6.0