Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/auth0-lock@11.21.0
purl pkg:npm/auth0-lock@11.21.0
Next non-vulnerable version 11.33.0
Latest non-vulnerable version 11.33.0
Risk 2.9
Vulnerabilities affecting this package (3)
Vulnerability Summary Fixed by
VCID-2r6q-ehzz-6yb4
Aliases:
CVE-2020-15119
GHSA-6gg3-pmm7-97xc
Cross-site Scripting In auth0-lock `dangerouslySetInnerHTML` is used to update the DOM. When `dangerouslySetInnerHTML` is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.
11.26.0
Affected by 2 other vulnerabilities.
11.26.3
Affected by 2 other vulnerabilities.
VCID-fnw8-u5tm-7qfu
Aliases:
CVE-2022-29172
GHSA-7ww6-75fj-jcj7
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields� feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fields� feature in your application. Upgrade to version `11.33.0`.
11.33.0
Affected by 0 other vulnerabilities.
VCID-k2s5-kxvv-17hn
Aliases:
CVE-2021-32641
GHSA-jr3j-whm4-9wwm
Cross-site Scripting auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's `flashMessage` feature is utilized and user input or data from URL parameters is incorporated into the `flashMessage` or the library's `languageDictionary` feature is utilized and user input or data from URL parameters is incorporated into the `languageDictionary`.
11.30.1
Affected by 1 other vulnerability.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-k3m2-21vz-x7cw Cross-site Scripting Auth0 Lock allows XSS when `additionalSignUpFields` is used with an untrusted placeholder. CVE-2019-20174
GHSA-w2pf-g6r8-pg22

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T01:45:19.614383+00:00 GitLab Importer Affected by VCID-fnw8-u5tm-7qfu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-lock/CVE-2022-29172.yml 38.6.0
2026-06-06T00:43:52.302479+00:00 GitLab Importer Affected by VCID-k2s5-kxvv-17hn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-lock/CVE-2021-32641.yml 38.6.0
2026-06-05T21:10:55.593464+00:00 GHSA Importer Fixing VCID-k3m2-21vz-x7cw https://github.com/advisories/GHSA-w2pf-g6r8-pg22 38.6.0
2026-06-04T20:34:20.701505+00:00 GitLab Importer Affected by VCID-2r6q-ehzz-6yb4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-lock/CVE-2020-15119.yml 38.6.0
2026-06-04T17:23:18.048764+00:00 GithubOSV Importer Fixing VCID-k3m2-21vz-x7cw https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-w2pf-g6r8-pg22/GHSA-w2pf-g6r8-pg22.json 38.6.0
2026-06-04T16:19:46.667250+00:00 GitLab Importer Fixing VCID-k3m2-21vz-x7cw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-lock/CVE-2019-20174.yml 38.6.0