Security Bulletins

Here is a list of Auth0 security bulletins that address security vulnerabilities in Auth0 software. Each bulletin contains a description of the vulnerability, how to identify if you are affected, and what to do to fix it.

Date	Bulletin number	Title	Affected software
December 21, 2022	Auth0 Bulletin	Auth0 security bulletin for jsonwebtoken	node-jsonwebtoken
December 12, 2022	CVE-2022-23505	Security Update for passport-wsfed-saml2 Library	passpord-wsfed-saml2
March 30, 2022	CVE-2022-24794	Security Update for Express OpenID Connect Library	express-openid-connect
December 16, 2021	CVE-2021-43812	Security Update for Next.js Auth0 Library <=1.6.1	nextjs-auth0
December 08, 2021	CVE-2021-41246	Security Update for Express OpenID Connect >= 2.3.0, <= 2.5.1	express-openid-connect
June 23, 2021	CVE-2021-32702	Security Update for Auth0 Next.js <= 1.4.1	nextjs-auth0
June 4, 2021	CVE-2021-32641	Security Update for Auth0 Lock <= 11.30.0	Auth0 Lock
November 05, 2020	CVE-2020-15259	Auth0 Security Bulletin for ad-ldap-connector versions <= 5.0.12	AD/LDAP Connector
October 21, 2020	CVE-2020-15240	Security Update for omniauth-auth0 JWT Validation	omniauth-auth0
August 16, 2020	CVE-2020-15119	Security Update for Auth0 Lock <= 11.25.1	Auth0 Lock
July 28, 2020	CVE-2020-15125	Auth0 Security Bulletin for node-auth0 <= 2.27.0	node-auth0
June 30, 2020	CVE-2020-15084	Auth0 Security Bulletin for express-jwt versions < 6.0.0	express-jwt
April 09, 2020	CVE-2020-5263	Auth0 Security Bulletin for auth0.js versions <= 9.13.1	Auth0.js
March 31, 2020	Auth0 Bulletin	Auth0 Security Bulletin for WordPress Plugin for Auth0 versions < 4.0.0	WordPress Plugin for Auth0
January 31, 2020	CVE-2019-20173	Auth0 Security Bulletin for WordPress Plugin for Auth0 versions 3.11.0, 3.11.1 and 3.11.2	WordPress Plugin for Auth0
January 30, 2020	CVE-2019-20174	Auth0 Security Bulletin for Auth0 Lock < 11.21.0	Auth0 Lock
October 04, 2019	CVE-2019-16929	Auth0 Security Bulletin for auth0.net between versions 5.8.0 and 6.5.3 inclusive	auth0.net
September 05, 2019	Auth0 bulletin	Auth0 Security Bulletin for assigning scopes based on email address	Custom code within Auth0 rules
July 23, 2019	CVE-2019-13483	Security Bulletin for Passport-SharePoint < 0.4.0	Passport-SharePoint
February 15, 2019	CVE-2019-7644	Security Bulletin for Auth0-WCF-Service-JWT < 1.0.4	Auth0-WCF-Service-JWT
January 10, 2019	Auth0 bulletin	Auth0 Security Bulletin for Vulnerable Patterns in Custom Rule Code	Custom code within Auth0 Rules
August 6, 2018	CVE-2018-15121	Security vulnerability in deprecated Auth0 middleware for ASP.NET	auth0-aspnet, auth0-aspnet-owin
June 5, 2018	CVE-2018-11537	Security update for angular-jwt allowlist bypass	angular-jwt
April 4, 2018	CVE-2018-6874	Security vulnerability for Auth0 authentication service	Auth0 Authentication Service
April 4, 2018	CVE 2018-6873	Security vulnerability for Auth0 authentication service	Auth0 Authentication Service
February 26, 2018	CVE 2018-7307	Security vulnerability for auth0.js < 9.3	Auth0.js
December 22, 2017	CVE 2017-16897	Security update for passport-wsfed-saml2 Passport strategy library	passport-wsfed-saml2 Passport strategy library
December 4, 2017	CVE 2017-17068	Security update for auth0.js popup callback vulnerability	Auth0.js

General Security Tips

CVE-2022-23539, CVE-2022-23541, CVE-2022-23540: Security Update for jsonwebtoken

⌘I

Protect Your Application

Protect Your Tenant

Compliance

Security Bulletins