PT-2025-18681 · Auth0 · Auth0 Account Link Extension
Published
2025-05-01
·
Updated
2025-05-02
·
CVE-2025-46345
CVSS v4.0
6.9
Medium
| AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Auth0 Account Link Extension versions 2.3.4 through 2.6.6
Description
The issue allows users to supply a forged token, potentially accessing user information without proper authorization, due to the lack of verification of the signature of the provided JWT.
Recommendations
For versions 2.3.4 through 2.6.6, upgrade to version 3.0.0 or greater to resolve the issue.
Exploit
Fix
Authentication Bypass by Spoofing
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Auth0 Account Link Extension