6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-11537

GHSA ID

GHSA-vm2p-f5j4-mj6g

EPSS Score

0.63329%

CWE

CWE-20

Published

5/14/2022

Updated

10/19/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-11537

CVE-2018-11537: Auth0 angular-jwt misinterprets allowlist as regex

Auth0 angular-jwt before 0.1.10 treats whiteListedDomains entries as regular expressions, which allows remote attackers with knowledge of the jwtInterceptorProvider.whiteListedDomains setting to bypass the domain allowlist filter via a crafted domain.

For example, if the setting is initialized with:

jwtInterceptorProvider.whiteListedDomains = ['whitelisted.Example.com'];

An attacker can set up a domain whitelistedXexample.com that will pass the allow list filter, as it considers the . separator to be a regex whildcard which matches any character.

(GitHub Advisory)

6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-11537

GHSA ID

GHSA-vm2p-f5j4-mj6g

EPSS Score

0.63329%

CWE

CWE-20

Published

5/14/2022

Updated

10/19/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
angular-jwt	npm	< 0.1.10	0.1.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how the whiteListedDomains array was processed. In the original code, non-RegExp entries were converted to case-insensitive regex patterns (e.g., new RegExp(domain, 'i')). This caused domain strings like 'whitelisted.Example.com' to match 'whitelistedXexample.com' due to the unescaped '.' acting as a regex wildcard. The patch replaced this logic with strict string equality checks for non-RegExp entries, confirming the root cause was in the regex conversion step. The affected code is located in the interceptor's domain validation loop, specifically in the logic handling whiteListedDomains entries.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ut** *n*ul*r-jwt ***or* *.*.** tr**ts w*it*List***om*ins *ntri*s *s r**ul*r *xpr*ssions, w*i** *llows r*mot* *tt**k*rs wit* knowl**** o* t** `jwtInt*r**ptorProvi**r.w*it*List***om*ins` s*ttin* to *yp*ss t** *om*in *llowlist *ilt*r vi* * *r**t** *om*

Reasoning

T** vuln*r**ility st*ms *rom *ow t** `w*it*List***om*ins` *rr*y w*s pro**ss**. In t** ori*in*l *o**, non-R***xp *ntri*s w*r* *onv*rt** to **s*-ins*nsitiv* r***x p*tt*rns (*.*., `n*w R***xp(*om*in, 'i')`). T*is **us** *om*in strin*s lik* 'w*it*list**.

6.5

Basic Information

Concerned about an active attack path?

CVE-2018-11537: Auth0 angular-jwt misinterprets allowlist as regex

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI