Security Vulnerability for auth0.js < 9.3

Published: February 26, 2018

CVE number: CVE 2018-7307

Credit: Internal


A vulnerability has been identified in the auth0.js JavaScript library, affecting versions < 9.3.

This vulnerability allows an attacker to bypass the CSRF check from the state parameter if it's missing from the authorization response, leaving the client vulnerable to CSRF attacks.

Patching this vulnerability requires a library upgrade.

Am I affected?

If you use a version of auth0.js lower than 9.3 then you are affected by this vulnerability.

How to fix that?

Developers using the auth0.js library need to upgrade to the version 9.3 or higher.

Updated packages are available on npm. To ensure delivery of additional bug fixes moving forward, please make sure your package.json file is updated to take patch and minor level updates of our libraries.

  "dependencies": {
    "auth0-js": "^9.3.0"

Will this update impact my users?

No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.

Was this article helpful?