VYPR
Vendor

Auth0

Products
18
CVEs
34
Across products
34
Status
Private

Products

18

Recent CVEs

34
View all 34 CVEs →
  • CVE-2018-6873CriApr 4, 2018
    risk 0.64cvss 9.8epss 0.02

    The Auth0 authentication service before 2017-10-15 allows privilege escalation because the JWT audience is not validated.

  • CVE-2025-48951CriJun 3, 2025
    risk 0.53cvss epss 0.01

    Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could…

  • CVE-2025-46572CriMay 6, 2025
    risk 0.53cvss epss 0.00

    passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by crafting a SAMLResponse. This can be…

  • CVE-2025-47275CriMay 15, 2025
    risk 0.52cvss 9.1epss 0.00

    Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which…

  • CVE-2025-46573HigMay 6, 2025
    risk 0.49cvss epss 0.00

    passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response.…

  • CVE-2017-17068HigDec 6, 2017
    risk 0.49cvss 7.5epss 0.01

    A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions < 8.12. This vulnerability allows an attacker to acquire authenticated users' tokens and invoke services on a user's behalf if the target site or application uses a popup callback…

  • CVE-2026-42280HigMay 27, 2026
    risk 0.46cvss 7.1epss 0.00

    Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is…

  • CVE-2026-34236HigApr 1, 2026
    risk 0.46cvss 8.2epss 0.00

    Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and…

  • CVE-2017-16897HigDec 27, 2017
    risk 0.46cvss 8.1epss 0.01

    A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library affecting versions < 3.0.5. This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider does not sign the full SAML response…

  • CVE-2025-48947HigJun 4, 2025
    risk 0.43cvss epss 0.00

    The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, `__session` cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be…

  • CVE-2024-31111MedJun 25, 2024
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from…

  • CVE-2023-6813MedJul 10, 2024
    risk 0.40cvss 6.1epss 0.00

    The Login by Auth0 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wle’ parameter in all versions up to, and including, 4.6.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to…

  • CVE-2024-32111MedJun 25, 2024
    risk 0.33cvss 5.0epss 0.00

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from…

  • CVE-2026-40155MedApr 17, 2026
    risk 0.28cvss 5.4epss 0.00

    The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users…

  • CVE-2025-46344MedApr 29, 2025
    risk 0.25cvss epss 0.00

    The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal…

  • CVE-2025-68129Dec 17, 2025
    risk 0.00cvss epss 0.00

    Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects…

  • CVE-2025-67716Dec 11, 2025
    risk 0.00cvss epss 0.00

    The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0…

  • CVE-2025-67490Dec 10, 2025
    risk 0.00cvss epss 0.00

    The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This…

  • CVE-2025-65945Dec 4, 2025
    risk 0.00cvss epss 0.00

    auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they…

  • CVE-2022-23539Dec 22, 2022
    risk 0.00cvss epss 0.00

    Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a…