Search for packages
| purl | pkg:npm/auth0-js@9.7.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-mwey-ne6v-bkea
Aliases: CVE-2026-42280 GHSA-8qjv-jj2q-x832 |
Auth.js SDK has Improper Permission Checking ### Description Under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. ### Am I Affected? Users are affected if they meet each of the following preconditions: - Applications built using Auth0.js version between 8.11.0 and 9.32.0 - The application’s access control relies on rules defined in Auth0 Actions. ### Affected product and versions auth0.js SDK v8.11.0 to v9.32.0 ### Resolution Upgrade auth0/auth0.js to v10.0.0 or greater. ### Acknowledgements Okta would like to thank Quan Le (@aleister1102) for their discovery and responsible disclosure. |
Affected by 0 other vulnerabilities. |
|
VCID-us7k-vw3e-x7f3
Aliases: CVE-2020-5263 GHSA-prfq-f66g-43mp |
Insufficiently Protected Credentials In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T08:27:59.300312+00:00 | GitLab Importer | Affected by | VCID-mwey-ne6v-bkea | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-js/CVE-2026-42280.yml | 38.6.0 |
| 2026-06-04T20:29:21.280506+00:00 | GitLab Importer | Affected by | VCID-us7k-vw3e-x7f3 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-js/CVE-2020-5263.yml | 38.6.0 |