VulnerableCode Package Details - pkg:npm/auth0-js@9.13.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-mwey-ne6v-bkea Aliases: CVE-2026-42280 GHSA-8qjv-jj2q-x832	Auth.js SDK has Improper Permission Checking ### Description Under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. ### Am I Affected? Users are affected if they meet each of the following preconditions: - Applications built using Auth0.js version between 8.11.0 and 9.32.0 - The application’s access control relies on rules defined in Auth0 Actions. ### Affected product and versions auth0.js SDK v8.11.0 to v9.32.0 ### Resolution Upgrade auth0/auth0.js to v10.0.0 or greater. ### Acknowledgements Okta would like to thank Quan Le (@aleister1102) for their discovery and responsible disclosure.	10.0.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-mwey-ne6v-bkea
Aliases:
CVE-2026-42280
GHSA-8qjv-jj2q-x832

Auth.js SDK has Improper Permission Checking ### Description Under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. ### Am I Affected? Users are affected if they meet each of the following preconditions: - Applications built using Auth0.js version between 8.11.0 and 9.32.0 - The application’s access control relies on rules defined in Auth0 Actions. ### Affected product and versions auth0.js SDK v8.11.0 to v9.32.0 ### Resolution Upgrade auth0/auth0.js to v10.0.0 or greater. ### Acknowledgements Okta would like to thank Quan Le (@aleister1102) for their discovery and responsible disclosure.

10.0.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-us7k-vw3e-x7f3	Insufficiently Protected Credentials In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure.	CVE-2020-5263 GHSA-prfq-f66g-43mp

Vulnerability

Summary

Aliases

VCID-us7k-vw3e-x7f3

Insufficiently Protected Credentials In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure.

CVE-2020-5263
GHSA-prfq-f66g-43mp

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T08:27:59.394894+00:00	GitLab Importer	Affected by	VCID-mwey-ne6v-bkea	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-js/CVE-2026-42280.yml	38.6.0
2026-06-05T21:11:30.327799+00:00	GHSA Importer	Fixing	VCID-us7k-vw3e-x7f3	https://github.com/advisories/GHSA-prfq-f66g-43mp	38.6.0
2026-06-04T17:21:30.063957+00:00	GithubOSV Importer	Fixing	VCID-us7k-vw3e-x7f3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-prfq-f66g-43mp/GHSA-prfq-f66g-43mp.json	38.6.0
2026-06-04T16:19:55.522725+00:00	GitLab Importer	Fixing	VCID-us7k-vw3e-x7f3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-js/CVE-2020-5263.yml	38.6.0