Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/auth0-js@8.11.0
Typenpm
Namespace
Nameauth0-js
Version8.11.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version10.0.0
Latest_non_vulnerable_version10.0.0
Affected_by_vulnerabilities
0
url VCID-53ug-2gch-bqhr
vulnerability_id VCID-53ug-2gch-bqhr
summary 
Information Exposure
A cross-origin vulnerability has been discovered in auth0. This vulnerability allows an attacker to acquire authenticated user tokens and invoke services on a user's behalf if the target site or application uses a popup callback page with `auth0.popup.callback().`
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2017-17068
reference_id
reference_type
scores
0
value 0.00329
scoring_system epss
scoring_elements 0.56144
published_at 2026-06-06T12:55:00Z
1
value 0.00329
scoring_system epss
scoring_elements 0.56115
published_at 2026-06-08T12:55:00Z
2
value 0.00329
scoring_system epss
scoring_elements 0.56132
published_at 2026-06-07T12:55:00Z
3
value 0.00329
scoring_system epss
scoring_elements 0.56084
published_at 2026-06-04T12:55:00Z
4
value 0.00329
scoring_system epss
scoring_elements 0.56138
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2017-17068
1
reference_url https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068
2
reference_url https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068/
reference_id
reference_type
scores
url https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068/
3
reference_url https://github.com/advisories/GHSA-3rpr-mg43-xhq4
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-3rpr-mg43-xhq4
4
reference_url https://auth0.com/docs/security/bulletins/cve-2017-17068
reference_id CVE-2017-17068
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://auth0.com/docs/security/bulletins/cve-2017-17068
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-17068
reference_id CVE-2017-17068
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2017-17068
fixed_packages
0
url pkg:npm/auth0-js@8.12.0
purl pkg:npm/auth0-js@8.12.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cfu4-873a-rbgv
1
vulnerability VCID-edhw-mrxm-u3hy
2
vulnerability VCID-mwey-ne6v-bkea
3
vulnerability VCID-us7k-vw3e-x7f3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/auth0-js@8.12.0
aliases CVE-2017-17068, GHSA-3rpr-mg43-xhq4
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-53ug-2gch-bqhr
1
url VCID-cfu4-873a-rbgv
vulnerability_id VCID-cfu4-873a-rbgv
summary 
Cross-Site Request Forgery (CSRF)
The Auth0 Authjs library has CSRF because it mishandles the case where the authorization response lacks the state parameter.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2018-7307
reference_id
reference_type
scores
0
value 0.00203
scoring_system epss
scoring_elements 0.4231
published_at 2026-06-08T12:55:00Z
1
value 0.00203
scoring_system epss
scoring_elements 0.42284
published_at 2026-06-04T12:55:00Z
2
value 0.00203
scoring_system epss
scoring_elements 0.42359
published_at 2026-06-05T12:55:00Z
3
value 0.00203
scoring_system epss
scoring_elements 0.42371
published_at 2026-06-06T12:55:00Z
4
value 0.00203
scoring_system epss
scoring_elements 0.42344
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2018-7307
1
reference_url https://github.com/advisories/GHSA-wpq7-q8j4-72jg
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-wpq7-q8j4-72jg
2
reference_url https://auth0.com/docs/security/bulletins/cve-2018-7307
reference_id CVE-2018-7307
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://auth0.com/docs/security/bulletins/cve-2018-7307
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-7307
reference_id CVE-2018-7307
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2018-7307
fixed_packages
0
url pkg:npm/auth0-js@9.3.0
purl pkg:npm/auth0-js@9.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-mwey-ne6v-bkea
1
vulnerability VCID-us7k-vw3e-x7f3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/auth0-js@9.3.0
aliases CVE-2018-7307, GHSA-wpq7-q8j4-72jg
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cfu4-873a-rbgv
2
url VCID-edhw-mrxm-u3hy
vulnerability_id VCID-edhw-mrxm-u3hy
summary 
Cross-Site Request Forgery (CSRF)
CSRF exists in the Auth0 authentication service when the Legacy Lock API flag is enabled.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2018-6874
reference_id
reference_type
scores
0
value 0.00172
scoring_system epss
scoring_elements 0.38281
published_at 2026-06-04T12:55:00Z
1
value 0.00172
scoring_system epss
scoring_elements 0.38315
published_at 2026-06-08T12:55:00Z
2
value 0.00172
scoring_system epss
scoring_elements 0.38369
published_at 2026-06-05T12:55:00Z
3
value 0.00172
scoring_system epss
scoring_elements 0.38344
published_at 2026-06-07T12:55:00Z
4
value 0.00172
scoring_system epss
scoring_elements 0.38372
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2018-6874
1
reference_url https://github.com/advisories/GHSA-wv26-rj8c-4r33
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-wv26-rj8c-4r33
2
reference_url http://www.securityfocus.com/bid/103695
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.securityfocus.com/bid/103695
3
reference_url https://auth0.com/docs/security/bulletins/cve-2018-6874
reference_id CVE-2018-6874
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://auth0.com/docs/security/bulletins/cve-2018-6874
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-6874
reference_id CVE-2018-6874
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2018-6874
fixed_packages
0
url pkg:npm/auth0-js@8.12.2
purl pkg:npm/auth0-js@8.12.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cfu4-873a-rbgv
1
vulnerability VCID-edhw-mrxm-u3hy
2
vulnerability VCID-mwey-ne6v-bkea
3
vulnerability VCID-us7k-vw3e-x7f3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/auth0-js@8.12.2
1
url pkg:npm/auth0-js@9.0.0
purl pkg:npm/auth0-js@9.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cfu4-873a-rbgv
1
vulnerability VCID-mwey-ne6v-bkea
2
vulnerability VCID-us7k-vw3e-x7f3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/auth0-js@9.0.0
aliases CVE-2018-6874, GHSA-wv26-rj8c-4r33
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-edhw-mrxm-u3hy
3
url VCID-mwey-ne6v-bkea
vulnerability_id VCID-mwey-ne6v-bkea
summary 
Auth.js SDK has Improper Permission Checking
### Description
Under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided.

### Am I Affected?
Users are affected if they meet each of the following preconditions:
- Applications built using Auth0.js version between 8.11.0 and 9.32.0
- The application’s access control relies on rules defined in Auth0 Actions.


### Affected product and versions
auth0.js SDK v8.11.0 to v9.32.0

### Resolution
Upgrade auth0/auth0.js to v10.0.0 or greater.

### Acknowledgements
Okta would like to thank Quan Le (@aleister1102) for their discovery and responsible disclosure.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42280
reference_id
reference_type
scores
0
value 0.00043
scoring_system epss
scoring_elements 0.1346
published_at 2026-06-07T12:55:00Z
1
value 0.00043
scoring_system epss
scoring_elements 0.13493
published_at 2026-06-05T12:55:00Z
2
value 0.00043
scoring_system epss
scoring_elements 0.135
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42280
1
reference_url https://github.com/auth0/auth0.js
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/auth0/auth0.js
2
reference_url https://github.com/auth0/auth0.js/security/advisories/GHSA-8qjv-jj2q-x832
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T15:36:47Z/
url https://github.com/auth0/auth0.js/security/advisories/GHSA-8qjv-jj2q-x832
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42280
reference_id CVE-2026-42280
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-42280
4
reference_url https://github.com/advisories/GHSA-8qjv-jj2q-x832
reference_id GHSA-8qjv-jj2q-x832
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8qjv-jj2q-x832
fixed_packages
0
url pkg:npm/auth0-js@10.0.0
purl pkg:npm/auth0-js@10.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/auth0-js@10.0.0
aliases CVE-2026-42280, GHSA-8qjv-jj2q-x832
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mwey-ne6v-bkea
4
url VCID-us7k-vw3e-x7f3
vulnerability_id VCID-us7k-vw3e-x7f3
summary 
Insufficiently Protected Credentials
In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-5263
reference_id
reference_type
scores
0
value 0.00231
scoring_system epss
scoring_elements 0.46012
published_at 2026-06-08T12:55:00Z
1
value 0.00231
scoring_system epss
scoring_elements 0.45989
published_at 2026-06-04T12:55:00Z
2
value 0.00231
scoring_system epss
scoring_elements 0.46058
published_at 2026-06-05T12:55:00Z
3
value 0.00231
scoring_system epss
scoring_elements 0.4606
published_at 2026-06-06T12:55:00Z
4
value 0.00231
scoring_system epss
scoring_elements 0.46038
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-5263
1
reference_url https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828
2
reference_url https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-5263
reference_id CVE-2020-5263
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-5263
4
reference_url https://github.com/advisories/GHSA-prfq-f66g-43mp
reference_id GHSA-prfq-f66g-43mp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-prfq-f66g-43mp
fixed_packages
0
url pkg:npm/auth0-js@9.13.2
purl pkg:npm/auth0-js@9.13.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-mwey-ne6v-bkea
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/auth0-js@9.13.2
aliases CVE-2020-5263, GHSA-prfq-f66g-43mp
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-us7k-vw3e-x7f3
Fixing_vulnerabilities
0
url VCID-3jcm-6tna-e7b8
vulnerability_id VCID-3jcm-6tna-e7b8
summary 
Improper Authentication
The Auth0 authentication service allows privilege escalation because the JWT audience field is not validated.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2018-6873
reference_id
reference_type
scores
0
value 0.04363
scoring_system epss
scoring_elements 0.89139
published_at 2026-06-04T12:55:00Z
1
value 0.04363
scoring_system epss
scoring_elements 0.89155
published_at 2026-06-05T12:55:00Z
2
value 0.04363
scoring_system epss
scoring_elements 0.89156
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2018-6873
1
reference_url http://www.securityfocus.com/bid/103695
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/103695
2
reference_url https://auth0.com/docs/security/bulletins/cve-2018-6873
reference_id CVE-2018-6873
reference_type
scores
url https://auth0.com/docs/security/bulletins/cve-2018-6873
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-6873
reference_id CVE-2018-6873
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2018-6873
fixed_packages
0
url pkg:npm/auth0-js@8.11.0
purl pkg:npm/auth0-js@8.11.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-53ug-2gch-bqhr
1
vulnerability VCID-cfu4-873a-rbgv
2
vulnerability VCID-edhw-mrxm-u3hy
3
vulnerability VCID-mwey-ne6v-bkea
4
vulnerability VCID-us7k-vw3e-x7f3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/auth0-js@8.11.0
aliases CVE-2018-6873
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3jcm-6tna-e7b8
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/auth0-js@8.11.0