Auth0 Security Bulletin CVE-2019-16929
CVE number: CVE-2019-16929
Credit: Dennis Detering (Spike Reply GmbH)
Versions of auth0.net and associated NuGet Package Auth0.AuthenticationAPI from
6.5.3 inclusive include a class named
IdentityTokenValidator with a public
ValidateAsync method, that performs limited validation suitable only for auth0 issued tokens.
Am I affected?
You are affected by this vulnerability if all of the following conditions apply:
- You are using the
IdentityTokenValidatorto validate untrusted ID tokens
- You are using a version of Auth0.AuthenticationAPI between
How to fix that?
Developers should not use the
IdentityTokenValidator class to validate untrusted ID tokens. See https://auth0.com/docs/tokens/guides/validate-id-tokens for our recommendations for validating ID tokens. https://jwt.io/ is a good resource on open source JWT validation libraries and their capabilities. Note that additional logic may be required based upon your use case.
Developers using the auth0.net and associated NuGet Package Auth0.AuthenticationAPI between
6.5.3 inclusive should upgrade to the latest version
6.5.4 to prevent accidental usage of the
Will this update impact my users?
No. This fix patches the client library that your application runs, but will not impact your users, their current state, or any existing sessions.