> ## Documentation Index > Fetch the complete documentation index at: https://auth0.com/llms.txt > Use this file to discover all available pages before exploring further. > CVE-2019-16929: Security vulnerability in auth0.net # CVE-2019-16929: Security Vulnerability in auth0.net **Published**: 10/03/2019 **CVE number**: CVE-2019-16929 **Credit**: Dennis Detering (Spike Reply GmbH) ## Overview Versions of [auth0.net](https://github.com/auth0/auth0.net) and associated NuGet Package [Auth0.AuthenticationAPI](https://www.nuget.org/packages/Auth0.AuthenticationApi/) from `5.8.0` to `6.5.3` inclusive include a class named `IdentityTokenValidator` with a public `ValidateAsync` method, that performs limited validation suitable only for auth0 issued tokens. ## Am I affected? You are affected by this vulnerability if all of the following conditions apply: * You are using the `IdentityTokenValidator` to validate untrusted ID tokens * You are using a version of Auth0.AuthenticationAPI between `5.8.0` and `6.5.3` inclusive ## How to fix that? Developers should not use the `IdentityTokenValidator` class to validate untrusted ID tokens. See [Validate ID Tokens](/docs/secure/tokens/id-tokens/validate-id-tokens) for our recommendations for validating ID tokens. [https://jwt.io/](https://jwt.io/) is a good resource on open source JWT validation libraries and their capabilities. Note that additional logic may be required based upon your use case. Developers using the [auth0.net](https://github.com/auth0/auth0.net) and associated NuGet Package [Auth0.AuthenticationAPI](https://www.nuget.org/packages/Auth0.AuthenticationApi/) between `5.8.0` and `6.5.3` inclusive should upgrade to the latest version `6.5.4` to prevent accidental usage of the `IdentityTokenValidator` class. ### Will this update impact my users? No. This fix patches the client library that your application runs, but will not impact your users, their current state, or any existing sessions.