Reflected XSS when using flashMessages or languageDictionary

Description

Versions before and including 11.30.0 are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library’s

• flashMessage feature is utilized and user input or data from URL parameters is incorporated into the flashMessage.

Recommendation

Update the auth0-lock package to the latest compatible version. Followings are version details:

• Affected version(s): < 11.30.1
• Patched version(s): 11.30.1

References

• GHSA-jr3j-whm4-9wwm
• CVE-2021-32641
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter - CVE-2025-26619
• Reflected XSS from the callback handler's error query parameter - CVE-2021-32702
• Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter (GHSA-rcw3-wmx7-cphr) - CVE-2025-26619
• Svelte vulnerable to XSS when using objects during server-side rendering - CVE-2022-25875

Tags:

npm

auth0-lock