CVE-2021-32702

Description

### Overview Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then processed by the callback handler as an error message. ### Am I affected? You are affected by this vulnerability if you are using `@auth0/nextjs-auth0` version `1.4.1` or lower **unless** you are using custom error handling that does not return the error message in an HTML response. ### How to fix that? Upgrade to version `1.4.2`. ### Will this update impact my users? The fix adds basic HTML escaping to the error message and it should not impact your users. ### Credit https://github.com/inian https://github.com/git-ishanpatel

How to fix CVE-2021-32702

To remediate CVE-2021-32702, upgrade the affected package to a fixed version below.

• —upgrade to 1.4.2 or later

Is CVE-2021-32702 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.4.2

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-32702
• WEBgithub.com/auth0/nextjs-auth0/commit/6996e2528ceed98627caa28abafbc09e90163ccf
• WEBgithub.com/auth0/nextjs-auth0/security/advisories/GHSA-954c-jjx6-cxv7
• WEBwww.npmjs.com/package/@auth0/nextjs-auth0