CVE-2021-32641: Security Update for Auth0 Lock Library

Published: June 4, 2021

CVE number: CVE-2021-32641

Overview

Versions before and including 11.30.0 are vulnerable to a reflected XSS. An attacker can execute arbitrary code when either:

  • The library's flashMessage feature is used and user input or data from URL parameters is incorporated into the flashMessage.

Or

  • The library's languageDictionary feature is used and user input or data from URL parameters is incorporated into the languageDictionary.

Am I affected?

This vulnerability affects you if your implementation fits either of these descriptions:

flashMessage vulnerability

If all of these conditions are true, you're vulnerable:

  • You use auth0-lock version 11.30.0 or older.

  • You use the flashMessage feature.

  • User input or data from URL parameters is incorporated into the flashMessage.

This is an example of a vulnerable snippet where query parameters are used to populate the text property of a flashMessage:

var params = new URLSearchParams(location.search);

var errorMessage = params.get('error__message');
var showParams = {};

if (!!errorMessage === true) {
  showParams.flashMessage = {
    type: 'error',
    text: 'We were unable to log you in. ' + errorMessage,
  };
}

lock.show(showParams);

languageDictionary vulnerability

If all of these conditions are true, you're vulnerable:

  • You use auth0-lock version 11.30.0 or older.

  • You use the languageDictionary feature.

  • User input or data from URL parameters is used in languageDictionary properties.

This is an example of a vulnerable snippet that uses query parameters to populate the socialLoginInstructions property of a languageDictionary:

var params = new URLSearchParams(location.search);
var instruction = params.get('instruction');

var options = {
  languageDictionary: {
    emailInputPlaceholder: "something@youremail.com",
    title: "title",
    socialLoginInstructions: instruction
  },
};

var lock = new Auth0LockPasswordless(
    CLIENT_ID,
    DOMAIN,
    options
);

lock.show();

How to fix that?

Upgrade to auth0-lock version 11.30.1.

Will this update impact my users?

The fix uses DOMPurify to sanitize the flashMessage and languageDictionary inputs. It removes any JavaScript in these fields, such as script tags or onclick attributes.