Omniuth-auth0 depends on vulnerable Rack version (CVE-2024-25126)

[tenet07]

Checklist

• The issue can be reproduced in the Rails sample app (or N/A).
• I have looked into the Readme and the Examples, and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

AWS Inspector is flagging a high-severity vulnerability (CVSS 7.5) in the rack gem used by omniauth-auth0.

Even after upgrading our Rails application to use rack >= 3.2.3, the omniauth-auth0 gem internally depends on rack (2.2.7), which is vulnerable.

Details

Vulnerability ID: CVE-2024-25126

Package: rack

Vulnerable versions: < 3.0.9.1

Fixed version: >= 3.0.9.1

Detected in file: /tmp/bundle/ruby/3.3.0/gems/omniauth-auth0-3.1.1/Gemfile.lock

Severity: High (7.5)

CWE: CWE-1333

Environment

omniauth-auth0 version: 3.1.1

Ruby version: 3.3.0

Rails version: 7.0.8.4

Rack version (app): 3.2.3

Inspector tool: AWS Inspector (October 2025 report)

Suggested Fix

Update gemspec to relax or bump Rack dependency to >= 3.0.9.1.

Rebuild and publish a new patch release (3.1.2 or 3.2.0) that uses the secure Rack version.

References

NVD: CVE-2024-25126

Rack Advisory

Reproduction

Steps to Reproduce

Use omniauth-auth0 (v3.1.1) in a Rails app.

Upgrade the Rails app dependencies to use rack ~> 3.2.3.

Run AWS Inspector or Trivy — it still reports a vulnerability because the gem’s internal dependency tree locks rack at 2.2.7.

Expected Behavior

omniauth-auth0 should allow or upgrade to use the patched Rack versions (>= 3.0.9.1) to eliminate the vulnerability.

Additional context

No response

omniauth-auth0 version

3.1.1

OmniAuth version

2.1.4

Ruby version

3.3.8