Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

auth0 — Vulnerabilities & Security Advisories 30

Browse all 30 CVE security advisories affecting auth0. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Auth0 operates as a cloud-based identity and access management platform, primarily serving developers who require secure authentication and authorization services for web and mobile applications. Its architecture handles sensitive user credentials and session tokens, making it a critical component in modern software ecosystems. Historically, vulnerabilities within its ecosystem have frequently involved cross-site scripting (XSS), broken access control, and security misconfigurations that could lead to privilege escalation or unauthorized data access. With thirty recorded Common Vulnerabilities and Exposures (CVEs), the platform has faced scrutiny regarding its implementation of security controls. While no single catastrophic breach has publicly defined its history, the cumulative nature of these flaws highlights the inherent risks in complex third-party identity providers. Organizations relying on this service must rigorously monitor updates and enforce strict configuration standards to mitigate potential exploitation vectors inherent in its extensive feature set.

Top products by auth0: nextjs-auth0 auth0-PHP lock passport-wsfed-saml2 node-jsonwebtoken express-openid-connect express-jwt node-auth0 omniauth-auth0 ad-ldap-connector auth0.js Login by Auth0 laravel-auth0 node-jws
CVE IDTitleCVSSSeverityPublished
CVE-2026-40155 Auth0 Next.js SDK has Improper Proxy Cache Lookup — nextjs-auth0CWE-863 5.4 Medium2026-04-17
CVE-2026-34236 Auth0 PHP SDK Insufficient Entropy in Cookie Encryption — auth0-PHPCWE-331 8.2 High2026-04-01
CVE-2025-68129 Auth0-PHP SDK has Improper Audience Validation — auth0-PHPCWE-863 6.8 Medium2025-12-17
CVE-2025-67716 Auth0 Next.js SDK has Improper Validation of Query Parameters — nextjs-auth0CWE-184 5.7 Medium2025-12-11
CVE-2025-67490 Auth0 Next.js SDK has Improper Request Caching Lookup — nextjs-auth0CWE-863 5.4 Medium2025-12-10
CVE-2025-65945 auth0/node-jws improper HMAC signature verification vulnerability — node-jwsCWE-347 7.5 High2025-12-04
CVE-2025-58769 auth0-PHP: Improper File Type Handling in Bulk User Import — laravel-auth0CWE-22 3.3 Low2025-10-01
CVE-2025-48947 NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies — nextjs-auth0CWE-525 6.5AIMediumAI2025-06-04
CVE-2025-48951 Auth0-PHP SDK Deserialization of Untrusted Data vulnerability — auth0-PHPCWE-502 9.1AICriticalAI2025-06-03
CVE-2025-47275 Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK — auth0-PHPCWE-287 9.1 Critical2025-05-15
CVE-2025-46573 passport-wsfed-saml2 Has SAML Authentication Bypass via Attribute Smuggling — passport-wsfed-saml2CWE-287 7.4AIHighAI2025-05-06
CVE-2025-46572 passport-wsfed-saml2 Has SAML Authentication Bypass via Signature Wrapping — passport-wsfed-saml2CWE-287 7.4AIHighAI2025-05-06
CVE-2025-46344 Auth0 NextJS SDK v4 Missing Session Invalidation — nextjs-auth0CWE-613 9.1AICriticalAI2025-04-29
CVE-2023-6813 Login by Auth0 <= 4.6.0 - Reflected Cross-Site Scripting via wle — Login by Auth0CWE-79 6.1 Medium2024-07-10
CVE-2022-23539 jsonwebtoken unrestricted key type could lead to legacy keys usage — node-jsonwebtokenCWE-327 5.9 Medium2022-12-22
CVE-2022-23540 jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() — node-jsonwebtokenCWE-287 6.4 Medium2022-12-22
CVE-2022-23541 jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC — node-jsonwebtokenCWE-287 5.0 Medium2022-12-22
CVE-2022-23505 Passport-wsfed-saml2 vulnerable to Authentication Bypass for WSFed authentication — passport-wsfed-saml2CWE-287 5.3 Medium2022-12-13
CVE-2022-29172 HTML injection with additional signup fields — lockCWE-79 6.1 Medium2022-05-05
CVE-2022-24794 Open Redirect in express-openid-connect — express-openid-connectCWE-601 7.5 High2022-03-31
CVE-2021-43812 Open redirect in nextjs-auth0 — nextjs-auth0CWE-601 6.4 Medium2021-12-16
CVE-2021-41246 Session fixation in express-openid-connect — express-openid-connectCWE-384 4.6 Medium2021-12-09
CVE-2021-32702 Reflected XSS from the callback handler's error query parameter — nextjs-auth0CWE-79 8.0 High2021-06-25
CVE-2021-32641 Reflected XSS when using flashMessages — lockCWE-79 8.1 High2021-06-04
CVE-2020-15259 CSRF in Auth0 ad-ldap-connector — ad-ldap-connectorCWE-352 8.1 High2020-11-06
CVE-2020-15240 Regression in JWT Signature Validation — omniauth-auth0CWE-287 7.4 High2020-10-21
CVE-2020-15119 DOM-based XSS in auth0-lock — lockCWE-79 6.4 Medium2020-08-19
CVE-2020-15125 Authorization header is not sanitized in an error object in auth0 — node-auth0CWE-209 7.7 High2020-07-29
CVE-2020-15084 Authorization bypass in express-jwt — express-jwtCWE-285 7.7 High2020-06-30
CVE-2020-5263 Information disclosure through error object — auth0.jsCWE-522 5.5 Medium2020-04-09

This page lists every published CVE security advisory associated with auth0. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.