Auth0 Security Bulletin CVE 2017-17068
Published: December 4, 2017
CVE number: CVE 2017-17068
If your site or application uses a popup callback page with
auth0.popup.callback() then an attacker can take advantage of unrestricted cross-origin post message requests and gain access to the tokens of logged-in users. A malicious website could then use any acquired Access Tokens to invoke services on behalf of the user.
This update addresses the vulnerability by implementing origin verification so the message cannot be posted to a page that is not in a specified domain. If no domain is specified, only the domain where the callback page is hosted is allowed. An attacker would receive a cross-origin request error.
Patching this vulnerability requires a library upgrade.
Am I affected?
If the following apply you are affected by this vulnerability:
- You use a version of auth0.js lower than
- You use a popup callback page with
auth0.popup.callback()in your code
How to fix that?
Developers using the auth0.js library need to upgrade to the latest version:
Updated packages are available on npm. To ensure delivery of additional bug fixes moving forward, please make sure your
package.json file is updated to take patch and minor level updates of our libraries.
Will this update impact my users?
No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.