Description
Versions before and including 1.4.1 are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the error query parameter which is then processed by the callback handler as an error message.
Recommendation
Update the @auth0/nextjs-auth0 package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.4.2
- Patched version(s): 1.4.2
References
Related Issues
- Astro allows unauthorized third-party images in _image endpoint - CVE-2025-55303
- Auth0 NextJS SDK v4 Missing Session Invalidation - CVE-2025-46344
- Joplin Cross-site Scripting vulnerability (GHSA-7grw-xfx6-qhx6) - CVE-2023-37298
- rgb2hex vulnerable to inefficient regular expression complexity - CVE-2018-25061
- Tags:
- npm
- @auth0/nextjs-auth0
Anything's wrong? Let us know Last updated on February 01, 2023