Auth0 Security Bulletin CVE 2018-7307
Published: February 26, 2018
CVE number: CVE 2018-7307
This vulnerability allows an attacker to bypass the CSRF check from the state parameter if it's missing from the authorization response, leaving the client vulnerable to CSRF attacks.
Patching this vulnerability requires a library upgrade.
Am I affected?
If you use a version of auth0.js lower than
9.3 then you are affected by this vulnerability.
How to fix that?
Developers using the auth0.js library need to upgrade to the version
9.3 or higher.
Updated packages are available on npm. To ensure delivery of additional bug fixes moving forward, please make sure your
package.json file is updated to take patch and minor level updates of our libraries.
Will this update impact my users?
No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.