Every CVE whose affected-product data names Auth0 Auth0.js, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (7)
CVE-2018-6873 — CVSS 9.8 (critical): The Auth0 authentication service before 2017-10-15 allows privilege escalation because the JWT audience is not validated.
CVE-2018-6874 — CVSS 8.8 (high): CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled.
CVE-2018-7307 — CVSS 8.8 (high): The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter.
CVE-2020-15125 — CVSS 7.7 (high): In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in…
CVE-2017-17068 — CVSS 7.5 (high): A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions < 8.12. This vulnerability allows an…
CVE-2026-42280 — CVSS 7.1 (high): Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may…
CVE-2020-5263 — CVSS 5.5 (medium): auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an…