Description
Versions before and including 1.4.1 are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the error query parameter which is then processed by the callback handler as an error message.
Recommendation
Update the @auth0/nextjs-auth0 package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.4.2
- Patched version(s): 1.4.2
References
Related Issues
- Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes - CVE-2026-34405
- Parse Server crashes with query parameter - CVE-2021-39187
- Cloudflare Agents is Vulnerable to Reflected Cross-Site Scripting in the AI Playground's OAuth callback handler - CVE-2026-1721
- QooxDoo XSS in Callback Parameter - CVE-2011-1714
You might also like:
- Tags:
- npm
- @auth0/nextjs-auth0
Anything's wrong? Let us know Last updated on February 01, 2023