> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> CVE-2018-11537: Security Update for angular-jwt Allow List Bypass

# CVE-2018-11537: Security Update for angular-jwt Allow List Bypass

**Published**: June 5, 2018

**CVE number**: CVE-2018-11537

**Credit**: Stephan Hauser

## Overview

The [domain allowlisting](https://github.com/auth0/angular-jwt#whitelisting-domains) feature can be bypassed. For example, if the setting is initialized with:

`jwtInterceptorProvider.whiteListedDomains = ['whitelisted.Example.com'];`

An attacker can set up a domain `whitelistedXexample.com` that will pass the allow list filter. The root cause for this is that `angular-jwt` always treats `whiteListedDomains` entries as regular expressions and causes `.` separator to match any character.

## Am I affected?

If the following apply you are affected by this vulnerability:

* You use a version of angular-<Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=jwt">jwt</Tooltip> lower than `0.1.10`
* You use domain allow listing in your code

## How to fix that?

Developers using the angular-jwt library need to upgrade to the latest version: `0.1.10`.

Updated package is available on [NPM](https://npmjs.com): `npm install angular-jwt@0.1.10`

To make it easier to keep up with security updates in the future, please make sure your `package.json` file is updated to take patch and minor level updates of our libraries:

```json lines theme={null}
{
  "dependencies": {
    "angular-jwt": "^0.1.10"
  }
}
```

### Will this update impact my users?

No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.