Description
A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions < 8.12. This vulnerability allows an attacker to acquire authenticated users’ tokens and invoke services on a user’s behalf if the target site or application uses a popup callback page with auth0.popup.callback().
Recommendation
Update the auth0-js package to the latest compatible version. Followings are version details:
- Affected version(s): < 8.12.0
- Patched version(s): 8.12.0
References
Related Issues
- Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution - CVE-2026-41208
- mongosh vulnerable to local privilege escalation - CVE-2025-1756
- StudioCMS has Privilege Escalation via Insecure API Token Generation - CVE-2026-30944
- Moderate severity vulnerability that affects marked - CVE-2017-17461
You might also like:
- Tags:
- npm
- auth0-js
Anything's wrong? Let us know Last updated on September 13, 2023


