{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/auth0.js-sdk/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["auth0.js SDK"],"_cs_severities":["high"],"_cs_tags":["auth0","sdk","vulnerability","authentication"],"_cs_type":"advisory","_cs_vendors":["Auth0","Okta"],"content_html":"\u003cp\u003eThe Auth0.js SDK, specifically versions 8.11.0 through 9.32.0, contains a vulnerability (CVE-2026-42280) where it may improperly return user profile information even when presented with a specially crafted invalid ID token. This occurs when specific preconditions are met, namely when applications are built using the affected Auth0.js SDK versions and their access control mechanisms are heavily reliant on rules defined within Auth0 Actions. An attacker could potentially exploit this vulnerability to bypass intended access controls and gain unauthorized access to user profile data. This poses a significant risk to applications utilizing the SDK for authentication and authorization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an application utilizing Auth0.js SDK version 8.11.0 to 9.32.0 and relying on Auth0 Actions for access control.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious, invalid ID token specifically designed to exploit the permission checking vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the application using valid credentials, obtaining a valid access token.\u003c/li\u003e\n\u003cli\u003eAttacker intercepts or modifies the authentication flow to replace the legitimate ID token with the crafted, malicious ID token.\u003c/li\u003e\n\u003cli\u003eThe Auth0.js SDK, due to the vulnerability, processes the crafted ID token without proper validation, associating it with the valid access token.\u003c/li\u003e\n\u003cli\u003eThe application queries the Auth0.js SDK for the user profile information.\u003c/li\u003e\n\u003cli\u003eThe Auth0.js SDK, trusting the association between the access token and the crafted ID token, returns user profile information, potentially bypassing Auth0 Actions rules.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to user profile data, potentially leading to further exploitation or data breaches.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-42280 can lead to unauthorized access to user profile information within applications using vulnerable versions of the Auth0.js SDK. If an application\u0026rsquo;s access control relies heavily on Auth0 Actions, attackers can bypass these rules and potentially escalate privileges or access sensitive data. The number of affected applications is currently unknown, but any application meeting the specified preconditions is at risk. The vulnerability was responsibly disclosed by Quan Le (@aleister1102)\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the auth0/auth0.js SDK to version 10.0.0 or greater to remediate CVE-2026-42280.\u003c/li\u003e\n\u003cli\u003eReview and harden access control rules defined in Auth0 Actions to mitigate potential bypasses.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for suspicious authentication attempts or unusual access patterns related to user profiles.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-auth0-sdk-bypass/","summary":"The Auth0.js SDK versions 8.11.0 to 9.32.0 improperly returns user profile information when provided a crafted invalid ID token, potentially bypassing access controls relying on Auth0 Actions.","title":"Auth0.js SDK Improper Permission Checking Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-auth0-sdk-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Auth0.js SDK","version":"https://jsonfeed.org/version/1.1"}