The Auth0 Auth0.js library prior to 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter.
auth0 auth0.js