CVE-2026-42280

Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0...

GHSA-8QJV-JJ2Q-X832 Auth.js SDK has Improper Permission Checking

Description Under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. Am I Affected? Users are affected if they meet each of the following preconditions: - Applications built...

NPM: Auth.js SDK has Improper Permission Checking

NPM: Auth.js SDK has Improper Permission Checking vulnerability discovered by ? in WordPress Npm auth0-js versions = 8.11.0, = 9.32.0...

PT-2026-38263

Name of the Vulnerable Software and Affected Versions auth0-js versions 8.11.0 through 9.32.0 Description Improper validation in the Auth0.js SDK may allow the return of user profile data when a specifically crafted invalid ID token is used in conjunction with a valid access token. This issue...

EUVD-2020-0389

Malware in sbrugna...

CVE-2020-5263

auth0.js NPM package auth0-js greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an authentication error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the err...

Information Disclosure

auth0.js is vulnerable to information disclosure. Error objects are returned by the library containing confidential information such as the original request of the user or the plaintext password entered by the user...

GHSA-PRFQ-F66G-43MP Information disclosure through error object in auth0.js

Overview Between versions 8.0.0 and 9.13.1inclusive, in the case of an authentication error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification...

Information disclosure through error object in auth0.js

Overview Between versions 8.0.0 and 9.13.1inclusive, in the case of an authentication error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification...

CVE-2020-5263

auth0.js NPM package auth0-js greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an authentication error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the err...

CVE-2020-5263

auth0.js NPM package auth0-js greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an authentication error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the err...

Design/Logic Flaw

auth0.js NPM package auth0-js greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an authentication error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the err...

CVE-2020-5263

The CVE-2020-5263 entry concerns the Auth0.js (NPM package auth0-js) library. Affected versions are greater than 8.0.0 and before 9.12.3, where an authentication error returns an error object that may contain the user’s original request, potentially exposing the plaintext password if logged or ex...

CVE-2020-5263 Information disclosure through error object

auth0.js NPM package auth0-js greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an authentication error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the err...

Multiple Auth0 Library Cross-Site Request Forgery Vulnerabilities

Auth0.js is a client-side library for Auth0, and Lock is an embeddable login form for desktops, tablets, and mobile devices. A cross-site request forgery vulnerability exists in Auth0 Lock 10 and auth0.js 8, which can be exploited by a remote attacker constructing a malicious website to perform...

GHSA-WPQ7-Q8J4-72JG Auth0-js bypasses CSRF checks

The Auth0.js library has a vulnerability affecting versions below 9.3 that allows an attacker to bypass the CSRF check from the state parameter if it's missing from the authorization response, leaving the client vulnerable to CSRF attacks...

Auth0-js bypasses CSRF checks

The Auth0.js library has a vulnerability affecting versions below 9.3 that allows an attacker to bypass the CSRF check from the state parameter if it's missing from the authorization response, leaving the client vulnerable to CSRF attacks...

Cross-site Request Forgery (CSRF)

auth0-js is vulnerable to cross-site request forgery CSRF attacks. These attacks are possible if the state parameter is missing in an authorization response...

CVE-2018-7307

The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter...

Design/Logic Flaw

The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter...