High severity7.5NVD Advisory· Published Dec 6, 2017· Updated May 13, 2026

CVE-2017-17068

Description

A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions < 8.12. This vulnerability allows an attacker to acquire authenticated users' tokens and invoke services on a user's behalf if the target site or application uses a popup callback page with auth0.popup.callback().

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
auth0-jsnpm	< 8.12.0	8.12.0

Affected products

Auth0/Auth0.js
cpe:2.3:a:auth0:auth0.js:*:*:*:*:*:*:*:*
Range: <8.12

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068/nvdExploitIssue TrackingThird Party Advisory
auth0.com/docs/security/bulletins/cve-2017-17068nvdIssue TrackingVendor AdvisoryWEB
github.com/advisories/GHSA-3rpr-mg43-xhq4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-17068ghsaADVISORY
appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000