Omniuth-auth0 depends on vulnerable Rack version (CVE-2024-25126) #212
Description
Checklist
- The issue can be reproduced in the Rails sample app (or N/A).
- I have looked into the Readme and the Examples, and have not found a suitable solution or answer.
- I have looked into the API documentation and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Description
AWS Inspector is flagging a high-severity vulnerability (CVSS 7.5) in the rack gem used by omniauth-auth0.
Even after upgrading our Rails application to use rack >= 3.2.3, the omniauth-auth0 gem internally depends on rack (2.2.7), which is vulnerable.
Details
Vulnerability ID: CVE-2024-25126
Package: rack
Vulnerable versions: < 3.0.9.1
Fixed version: >= 3.0.9.1
Detected in file: /tmp/bundle/ruby/3.3.0/gems/omniauth-auth0-3.1.1/Gemfile.lock
Severity: High (7.5)
CWE: CWE-1333
Environment
omniauth-auth0 version: 3.1.1
Ruby version: 3.3.0
Rails version: 7.0.8.4
Rack version (app): 3.2.3
Inspector tool: AWS Inspector (October 2025 report)
Suggested Fix
Update gemspec to relax or bump Rack dependency to >= 3.0.9.1.
Rebuild and publish a new patch release (3.1.2 or 3.2.0) that uses the secure Rack version.
References
NVD: CVE-2024-25126
Reproduction
Steps to Reproduce
Use omniauth-auth0 (v3.1.1) in a Rails app.
Upgrade the Rails app dependencies to use rack ~> 3.2.3.
Run AWS Inspector or Trivy — it still reports a vulnerability because the gem’s internal dependency tree locks rack at 2.2.7.
Expected Behavior
omniauth-auth0 should allow or upgrade to use the patched Rack versions (>= 3.0.9.1) to eliminate the vulnerability.
Additional context
No response
omniauth-auth0 version
3.1.1
OmniAuth version
2.1.4
Ruby version
3.3.8