CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-46345: Auth0 Account Link Extension JWT Invalid Signature Validation

6.9 CVSS

Description

Auth0 Account Link Extension is an extension aimed to help link accounts easily. Versions 2.3.4 to 2.6.6 do not verify the signature of the provided JWT. This allows the user the ability to supply a forged token and the potential to access user information without proper authorization. This issue has been patched in versions 2.6.7, 2.7.0, and 3.0.0. It is recommended to upgrade to version 3.0.0 or greater.

Classification

CVE ID: CVE-2025-46345

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.9

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem Types

CWE-290: Authentication Bypass by Spoofing

Affected Products

Vendor: auth0-extensions

Product: auth0-account-link-extension

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 16.82% (scored less or equal to compared to others)

EPSS Date: 2025-05-30 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-46345
https://github.com/auth0-extensions/auth0-account-link-extension/security/advisories/GHSA-j2jh-rqff-7vmg
https://github.com/auth0-extensions/auth0-account-link-extension/pull/187

Timeline

2025-05-01 18:40:14 UTC
CVE

Auth0 Account Link Extension JWT Invalid Signature Validation