auth0.js icon indicating copy to clipboard operation
auth0.js copied to clipboard
verified publisher icon auth0

auth0-js 9.26.1 using deprecated version of superagent 7.6.1 which contains references to polyfills.io - responsible for a recent supply chain attack

Open PriyankaRbakhshi opened this issue 1 year ago • 4 comments

Checklist

  • [X] The issue can be reproduced in the auth0-js sample app (or N/A).
  • [X] I have looked into the Readme and Examples, and have not found a suitable solution or answer.
  • [X] I have looked into the API documentation and have not found a suitable solution or answer.
  • [X] I have searched the issues and have not found a suitable solution or answer.
  • [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • [X] I agree to the terms within the Auth0 Code of Conduct.

Description

[email protected] has a dependency on superagent 7.6.1 which is deprecated. Superagent 7.6.1 contains a README.MD page which mentions about polyfills.io. polyfills.io has been recently linked to a supply chain attack, please see the links below:

image

image https://www.spiceworks.com/it-security/cyber-risk-management/news/polyfill-supply-chain-attack-infects-websites/ https://www.sonatype.com/blog/polyfill.io-supply-chain-attack-hits-100000-websites-all-you-need-to-know

You can also find more details on the below site with examples : https://sansec.io/research/polyfill-supply-chain-attack

auth0-js should be updated to use latest superagent dependency version 9 and above.

Reproduction

npm install auth0-js npm ls superagent image README.md

Additional context

We are installing auth0-js using npm and don't use scripts or cdn.

auth0-js version

9.26.1

Which browsers have you tested in?

Chrome

PriyankaRbakhshi avatar Jul 01 '24 04:07 PriyankaRbakhshi

Hello, any update on this issue?

PriyankaRbakhshi avatar Jul 17 '24 02:07 PriyankaRbakhshi

I am curious aout this as well, since Auth0 recommends to use this library in conjunction with e.g. Auth0-React sdk.

BUMP!

arsekil avatar Mar 21 '25 21:03 arsekil

Since auth0 team is ignoring this just force it like here https://github.com/influxdata/ui/pull/6903/files#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519R227

vavsab avatar May 27 '25 16:05 vavsab

If you are a pnpm user add this in pnpm-workspace.yaml

overrides:
  auth0-js>superagent: ^9.0.0

fullstackzach avatar May 30 '25 20:05 fullstackzach

@PriyankaRbakhshi,

Thank you for reporting this issue, and apologies for the delayed response — we appreciate your patience. We are actively working on this and plan to release a fix in the coming days.

amitsingh05667 avatar Jul 18 '25 06:07 amitsingh05667

@amitsingh05667 I believe it should be at least version 9 of Superagent, so that this vulnerability will get fixed: CVE-2025-46653

jonathandv avatar Aug 01 '25 12:08 jonathandv

@jonathandv , @PriyankaRbakhshi superagent dependency has been upgraded to the latest version to address the polyfills.io vulnerability.

amitsingh05667 avatar Sep 25 '25 12:09 amitsingh05667