Security Bulletins

Here is a list of Auth0 security bulletins that address security vulnerabilities in Auth0 software. Each bulletin contains a description of the vulnerability, how to identify if you are affected, and what to do to fix it.

Date Bulletin number Title Affected software
June 23, 2021 CVE-2021-32702 Security Update for Auth0 Next.js <= 1.4.1 nextjs-auth0
June 4, 2021 CVE-2021-32641 Security Update for Auth0 Lock <= 11.30.0 Auth0 Lock
November 05, 2020 CVE-2020-15259 Auth0 Security Bulletin for ad-ldap-connector versions <= 5.0.12 AD/LDAP Connector
October 21, 2020 CVE-2020-15240 Security Update for omniauth-auth0 JWT Validation omniauth-auth0
August 16, 2020 CVE-2020-15119 Security Update for Auth0 Lock <= 11.25.1 Auth0 Lock
July 28, 2020 CVE-2020-15125 Auth0 Security Bulletin for node-auth0 <= 2.27.0 node-auth0
June 30, 2020 CVE-2020-15084 Auth0 Security Bulletin for express-jwt versions < 6.0.0 express-jwt
April 09, 2020 CVE-2020-5263 Auth0 Security Bulletin for auth0.js versions <= 9.13.1 Auth0.js
March 31, 2020 Auth0 Bulletin Auth0 Security Bulletin for WordPress Plugin for Auth0 versions < 4.0.0 WordPress Plugin for Auth0
January 31, 2020 CVE-2019-20173 Auth0 Security Bulletin for WordPress Plugin for Auth0 versions 3.11.0, 3.11.1 and 3.11.2 WordPress Plugin for Auth0
January 30, 2020 CVE-2019-20174 Auth0 Security Bulletin for Auth0 Lock < 11.21.0 Auth0 Lock
October 04, 2019 CVE-2019-16929 Auth0 Security Bulletin for auth0.net between versions 5.8.0 and 6.5.3 inclusive auth0.net
September 05, 2019 Auth0 bulletin Auth0 Security Bulletin for assigning scopes based on email address Custom code within Auth0 rules
July 23, 2019 CVE-2019-13483 Security Bulletin for Passport-SharePoint < 0.4.0 Passport-SharePoint
February 15, 2019 CVE-2019-7644 Security Bulletin for Auth0-WCF-Service-JWT < 1.0.4 Auth0-WCF-Service-JWT
January 10, 2019 Auth0 bulletin Auth0 Security Bulletin for Vulnerable Patterns in Custom Rule Code Custom code within Auth0 Rules
August 6, 2018 CVE-2018-15121 Security vulnerability in deprecated Auth0 middleware for ASP.NET auth0-aspnet, auth0-aspnet-owin
June 5, 2018 CVE-2018-11537 Security update for angular-jwt allowlist bypass angular-jwt
April 4, 2018 CVE-2018-6874 Security vulnerability for Auth0 authentication service Auth0 Authentication Service
April 4, 2018 CVE 2018-6873 Security vulnerability for Auth0 authentication service Auth0 Authentication Service
February 26, 2018 CVE 2018-7307 Security vulnerability for auth0.js < 9.3 Auth0.js
December 22, 2017 CVE 2017-16897 Security update for passport-wsfed-saml2 Passport strategy library passport-wsfed-saml2 Passport strategy library
December 4, 2017 CVE 2017-17068 Security update for auth0.js popup callback vulnerability Auth0.js