Security Bulletins
Here is a list of Auth0 security bulletins that address security vulnerabilities in Auth0 software. Each bulletin contains a description of the vulnerability, how to identify if you are affected, and what to do to fix it.
| Date | Bulletin number | Title | Affected software |
|---|---|---|---|
| December 21, 2022 | Auth0 Bulletin | Auth0 security bulletin for jsonwebtoken | node-jsonwebtoken |
| December 12, 2022 | CVE-2022-23505 | Security Update for passport-wsfed-saml2 Library | passpord-wsfed-saml2 |
| March 30, 2022 | CVE-2022-24794 | Security Update for Express OpenID Connect Library | express-openid-connect |
| December 16, 2021 | CVE-2021-43812 | Security Update for Next.js Auth0 Library <=1.6.1 | nextjs-auth0 |
| December 08, 2021 | CVE-2021-41246 | Security Update for Express OpenID Connect >= 2.3.0, <= 2.5.1 | express-openid-connect |
| June 23, 2021 | CVE-2021-32702 | Security Update for Auth0 Next.js <= 1.4.1 | nextjs-auth0 |
| June 4, 2021 | CVE-2021-32641 | Security Update for Auth0 Lock <= 11.30.0 | Auth0 Lock |
| November 05, 2020 | CVE-2020-15259 | Auth0 Security Bulletin for ad-ldap-connector versions <= 5.0.12 | AD/LDAP Connector |
| October 21, 2020 | CVE-2020-15240 | Security Update for omniauth-auth0 JWT Validation | omniauth-auth0 |
| August 16, 2020 | CVE-2020-15119 | Security Update for Auth0 Lock <= 11.25.1 | Auth0 Lock |
| July 28, 2020 | CVE-2020-15125 | Auth0 Security Bulletin for node-auth0 <= 2.27.0 | node-auth0 |
| June 30, 2020 | CVE-2020-15084 | Auth0 Security Bulletin for express-jwt versions < 6.0.0 | express-jwt |
| April 09, 2020 | CVE-2020-5263 | Auth0 Security Bulletin for auth0.js versions <= 9.13.1 | Auth0.js |
| March 31, 2020 | Auth0 Bulletin | Auth0 Security Bulletin for WordPress Plugin for Auth0 versions < 4.0.0 | WordPress Plugin for Auth0 |
| January 31, 2020 | CVE-2019-20173 | Auth0 Security Bulletin for WordPress Plugin for Auth0 versions 3.11.0, 3.11.1 and 3.11.2 | WordPress Plugin for Auth0 |
| January 30, 2020 | CVE-2019-20174 | Auth0 Security Bulletin for Auth0 Lock < 11.21.0 | Auth0 Lock |
| October 04, 2019 | CVE-2019-16929 | Auth0 Security Bulletin for auth0.net between versions 5.8.0 and 6.5.3 inclusive | auth0.net |
| September 05, 2019 | Auth0 bulletin | Auth0 Security Bulletin for assigning scopes based on email address | Custom code within Auth0 rules |
| July 23, 2019 | CVE-2019-13483 | Security Bulletin for Passport-SharePoint < 0.4.0 | Passport-SharePoint |
| February 15, 2019 | CVE-2019-7644 | Security Bulletin for Auth0-WCF-Service-JWT < 1.0.4 | Auth0-WCF-Service-JWT |
| January 10, 2019 | Auth0 bulletin | Auth0 Security Bulletin for Vulnerable Patterns in Custom Rule Code | Custom code within Auth0 Rules |
| August 6, 2018 | CVE-2018-15121 | Security vulnerability in deprecated Auth0 middleware for ASP.NET | auth0-aspnet, auth0-aspnet-owin |
| June 5, 2018 | CVE-2018-11537 | Security update for angular-jwt allowlist bypass | angular-jwt |
| April 4, 2018 | CVE-2018-6874 | Security vulnerability for Auth0 authentication service | Auth0 Authentication Service |
| April 4, 2018 | CVE 2018-6873 | Security vulnerability for Auth0 authentication service | Auth0 Authentication Service |
| February 26, 2018 | CVE 2018-7307 | Security vulnerability for auth0.js < 9.3 | Auth0.js |
| December 22, 2017 | CVE 2017-16897 | Security update for passport-wsfed-saml2 Passport strategy library | passport-wsfed-saml2 Passport strategy library |
| December 4, 2017 | CVE 2017-17068 | Security update for auth0.js popup callback vulnerability | Auth0.js |