Here is a list of Auth0 security bulletins that address security vulnerabilities of Auth0 software. Each bulletin contains a description of the vulnerability, how to identify if you are affected, and what to do to fix it.
|Date||Bulletin number||Title||Affected software|
|August 16, 2020||CVE-2020-15119||Security Update for Auth0 Lock <= 11.25.1||Auth0 Lock|
|July 28, 2020||CVE-2020-15125||Auth0 Security Bulletin for node-auth0 <= 2.27.0||node-auth0|
|June 30, 2020||CVE-2020-15084||Auth0 Security Bulletin for express-jwt versions < 6.0.0||express-jwt|
|April 09, 2020||CVE-2020-5263||Auth0 Security Bulletin for auth0.js versions <= 9.13.1||Auth0.js|
|March 31, 2020||Auth0 Bulletin||Auth0 Security Bulletin for WordPress Plugin for Auth0 versions < 4.0.0||WordPress Plugin for Auth0|
|January 31, 2020||CVE-2019-20173||Auth0 Security Bulletin for WordPress Plugin for Auth0 versions 3.11.0, 3.11.1 and 3.11.2||WordPress Plugin for Auth0|
|January 30, 2020||CVE-2019-20174||Auth0 Security Bulletin for Auth0 Lock < 11.21.0||Auth0 Lock|
|October 04, 2019||CVE-2019-16929||Auth0 Security Bulletin for auth0.net between versions 5.8.0 and 6.5.3 inclusive||auth0.net|
|September 05, 2019||Auth0 bulletin||Auth0 Security Bulletin for assigning scopes based on email address||Custom code within Auth0 rules|
|July 23, 2019||CVE-2019-13483||Security Bulletin for Passport-SharePoint < 0.4.0||Passport-SharePoint|
|February 15, 2019||CVE-2019-7644||Security Bulletin for Auth0-WCF-Service-JWT < 1.0.4||Auth0-WCF-Service-JWT|
|January 10, 2019||Auth0 bulletin||Auth0 Security Bulletin for Vulnerable Patterns in Custom Rule Code||Custom code within Auth0 Rules|
|August 6, 2018||CVE-2018-15121||Security vulnerability in deprecated Auth0 middleware for ASP.NET||auth0-aspnet, auth0-aspnet-owin|
|June 5, 2018||CVE-2018-11537||Security update for angular-jwt whitelist bypass||angular-jwt|
|April 4, 2018||CVE-2018-6874||Security vulnerability for Auth0 authentication service||Auth0 Authentication Service|
|April 4, 2018||CVE 2018-6873||Security vulnerability for Auth0 authentication service||Auth0 Authentication Service|
|February 26, 2018||CVE 2018-7307||Security vulnerability for auth0.js < 9.3||Auth0.js|
|December 22, 2017||CVE 2017-16897||Security update for passport-wsfed-saml2 Passport strategy library||passport-wsfed-saml2 Passport strategy library|
|December 4, 2017||CVE 2017-17068||Security update for auth0.js popup callback vulnerability||Auth0.js|
Prevent cybersecurity threats
Some common cybersecurity threats include:
Bucket brigade attacks
Cross-site Request Forgery (CSRF or XSRF) attacks
Auth0 has anomaly detection features that can shield against certain attacks. See Prevent Common Cybersecurity Threats for details.
If your environment is behind a firewall, custom database connections, hooks, and rules may require you to whitelist specific Auth0 IP addresses to ensure proper functionality. See Add IP Addresses to AllowList for details.
If there are user fields that should not be stored in Auth0 databases due to privacy reasons, you can blacklist them. See Add User Attributes to DenyList for details. In a situation where you want to revoke an access token so that it can no longer be used, you can use blacklisting or application grants. See Revoke Access to API Using DenyList or Application Grants for details.