Security Bulletins
Here is a list of Auth0 security bulletins that address security vulnerabilities in Auth0 software. Each bulletin contains a description of the vulnerability, how to identify if you are affected, and what to do to fix it.
Date | Bulletin number | Title | Affected software |
---|---|---|---|
December 21, 2022 | Auth0 Bulletin | Auth0 security bulletin for jsonwebtoken | node-jsonwebtoken |
December 12, 2022 | CVE-2022-23505 | Security Update for passport-wsfed-saml2 Library | passpord-wsfed-saml2 |
March 30, 2022 | CVE-2022-24794 | Security Update for Express OpenID Connect Library | express-openid-connect |
December 16, 2021 | CVE-2021-43812 | Security Update for Next.js Auth0 Library <=1.6.1 | nextjs-auth0 |
December 08, 2021 | CVE-2021-41246 | Security Update for Express OpenID Connect >= 2.3.0, <= 2.5.1 | express-openid-connect |
June 23, 2021 | CVE-2021-32702 | Security Update for Auth0 Next.js <= 1.4.1 | nextjs-auth0 |
June 4, 2021 | CVE-2021-32641 | Security Update for Auth0 Lock <= 11.30.0 | Auth0 Lock |
November 05, 2020 | CVE-2020-15259 | Auth0 Security Bulletin for ad-ldap-connector versions <= 5.0.12 | AD/LDAP Connector |
October 21, 2020 | CVE-2020-15240 | Security Update for omniauth-auth0 JWT Validation | omniauth-auth0 |
August 16, 2020 | CVE-2020-15119 | Security Update for Auth0 Lock <= 11.25.1 | Auth0 Lock |
July 28, 2020 | CVE-2020-15125 | Auth0 Security Bulletin for node-auth0 <= 2.27.0 | node-auth0 |
June 30, 2020 | CVE-2020-15084 | Auth0 Security Bulletin for express-jwt versions < 6.0.0 | express-jwt |
April 09, 2020 | CVE-2020-5263 | Auth0 Security Bulletin for auth0.js versions <= 9.13.1 | Auth0.js |
March 31, 2020 | Auth0 Bulletin | Auth0 Security Bulletin for WordPress Plugin for Auth0 versions < 4.0.0 | WordPress Plugin for Auth0 |
January 31, 2020 | CVE-2019-20173 | Auth0 Security Bulletin for WordPress Plugin for Auth0 versions 3.11.0, 3.11.1 and 3.11.2 | WordPress Plugin for Auth0 |
January 30, 2020 | CVE-2019-20174 | Auth0 Security Bulletin for Auth0 Lock < 11.21.0 | Auth0 Lock |
October 04, 2019 | CVE-2019-16929 | Auth0 Security Bulletin for auth0.net between versions 5.8.0 and 6.5.3 inclusive | auth0.net |
September 05, 2019 | Auth0 bulletin | Auth0 Security Bulletin for assigning scopes based on email address | Custom code within Auth0 rules |
July 23, 2019 | CVE-2019-13483 | Security Bulletin for Passport-SharePoint < 0.4.0 | Passport-SharePoint |
February 15, 2019 | CVE-2019-7644 | Security Bulletin for Auth0-WCF-Service-JWT < 1.0.4 | Auth0-WCF-Service-JWT |
January 10, 2019 | Auth0 bulletin | Auth0 Security Bulletin for Vulnerable Patterns in Custom Rule Code | Custom code within Auth0 Rules |
August 6, 2018 | CVE-2018-15121 | Security vulnerability in deprecated Auth0 middleware for ASP.NET | auth0-aspnet, auth0-aspnet-owin |
June 5, 2018 | CVE-2018-11537 | Security update for angular-jwt allowlist bypass | angular-jwt |
April 4, 2018 | CVE-2018-6874 | Security vulnerability for Auth0 authentication service | Auth0 Authentication Service |
April 4, 2018 | CVE 2018-6873 | Security vulnerability for Auth0 authentication service | Auth0 Authentication Service |
February 26, 2018 | CVE 2018-7307 | Security vulnerability for auth0.js < 9.3 | Auth0.js |
December 22, 2017 | CVE 2017-16897 | Security update for passport-wsfed-saml2 Passport strategy library | passport-wsfed-saml2 Passport strategy library |
December 4, 2017 | CVE 2017-17068 | Security update for auth0.js popup callback vulnerability | Auth0.js |