CVE-2021-32641: Security Update for Auth0 Lock Library
Published: June 4, 2021
CVE number: CVE-2021-32641
Overview
Versions before and including 11.30.0
are vulnerable to a reflected XSS. An attacker can execute arbitrary code when either:
The library's
flashMessage
feature is used and user input or data from URL parameters is incorporated into theflashMessage
.
Or
The library's
languageDictionary
feature is used and user input or data from URL parameters is incorporated into thelanguageDictionary
.
Am I affected?
This vulnerability affects you if your implementation fits either of these descriptions:
flashMessage vulnerability
If all of these conditions are true, you're vulnerable:
You use
auth0-lock
version11.30.0
or older.You use the
flashMessage
feature.User input or data from URL parameters is incorporated into the
flashMessage
.
This is an example of a vulnerable snippet where query parameters are used to populate the text
property of a flashMessage
:
var params = new URLSearchParams(location.search);
var errorMessage = params.get('error__message');
var showParams = {};
if (!!errorMessage === true) {
showParams.flashMessage = {
type: 'error',
text: 'We were unable to log you in. ' + errorMessage,
};
}
lock.show(showParams);
Was this helpful?
languageDictionary vulnerability
If all of these conditions are true, you're vulnerable:
You use
auth0-lock
version11.30.0
or older.You use the
languageDictionary
feature.User input or data from URL parameters is used in
languageDictionary
properties.
This is an example of a vulnerable snippet that uses query parameters to populate the socialLoginInstructions
property of a languageDictionary
:
var params = new URLSearchParams(location.search);
var instruction = params.get('instruction');
var options = {
languageDictionary: {
emailInputPlaceholder: "something@youremail.com",
title: "title",
socialLoginInstructions: instruction
},
};
var lock = new Auth0LockPasswordless(
CLIENT_ID,
DOMAIN,
options
);
lock.show();
Was this helpful?
How to fix that?
Upgrade to auth0-lock
version 11.30.1
.
Will this update impact my users?
The fix uses DOMPurify to sanitize the flashMessage
and languageDictionary
inputs. It removes any JavaScript in these fields, such as script
tags or onclick
attributes.