CVE-2021-32702
HIGHnextjs-auth0 < 1.4.2 - Reflected Cross-Site Scripting via Error Query Parameter
Title source: llmDescription
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then processed by the callback handler as an error message. You are affected by this vulnerability if you are using `@auth0/nextjs-auth0` version `1.4.1` or lower **unless** you are using custom error handling that does not return the error message in an HTML response. Upgrade to version `1.4.1` to resolve. The fix adds basic HTML escaping to the error message and it should not impact your users.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-954c-jjx6-cxv7
Patch, Third Party Advisory x_refsource_misc
https://github.com/auth0/nextjs-auth0/commit/6996e2528ceed98627caa28abafbc09e90163ccf
Various Sources x_refsource_misc
https://www.npmjs.com/package/%40auth0/nextjs-auth0
Scores
CVSS v3
8.0
EPSS
0.0140
EPSS Percentile
69.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Details
CWE
CWE-79
Status
published
Products (2)
auth0/nextjs-auth0
< 1.4.2
auth0/nextjs-auth0
0 - 1.4.2npm
Published
Jun 25, 2021
Tracked Since
Feb 18, 2026