> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> CVE-2020-15240: Security update for omniauth-auth0 JWT validation

# CVE-2020-15240: Security Update for omniauth-auth0 JWT Validation

**Published**: October 21st, 2020

**CVE number**: CVE-2020-15240

## Overview

Versions after and including `2.3.0` are improperly validating the <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWT">JWT</Tooltip> token signature when using the `JWTValidator.verify` method. Improper validation of the JWT token signature when not using the default Authorization Code Flow can allow an attacker to bypass authentication and authorization.

## Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

* You are using `omniauth-auth0`
* You are using `JWTValidator.verify` method directly OR you are not authenticating using the SDK’s default Authorization Code Flow.

## How to fix that?

Upgrade to version `2.4.1`.

## Will this update impact my users?

The fix provided in this version will not affect your users.