CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled.
auth0 auth0.js