Description
The Auth0.js library has a vulnerability affecting versions below 9.3 that allows an attacker to bypass the CSRF check from the state parameter if it’s missing from the authorization response, leaving the client vulnerable to CSRF attacks.
Recommendation
Update the auth0-js package to the latest compatible version. Followings are version details:
- Affected version(s): < 9.3.0
- Patched version(s): 9.3.0
References
Related Issues
- Cross-Site Request Forgery (CSRF) in Auth0 - CVE-2018-6874
- pym.js CSRF Vulnerability - CVE-2018-1000086
- auth0-js Privilege Escalation Vulnerability - CVE-2017-17068
- Auth0 angular-jwt misinterprets allowlist as regex - CVE-2018-11537
- Tags:
- npm
- auth0-js
Anything's wrong? Let us know Last updated on January 09, 2023