CVE-2021-32702

Reflected XSS from the callback handler's error query parameter

Description

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then processed by the callback handler as an error message. You are affected by this vulnerability if you are using `@auth0/nextjs-auth0` version `1.4.1` or lower **unless** you are using custom error handling that does not return the error message in an HTML response. Upgrade to version `1.4.1` to resolve. The fix adds basic HTML escaping to the error message and it should not impact your users.

Category

8.0
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.58%
Third-Party Advisory github.com Third-Party Advisory github.com
Affected: auth0 nextjs-auth0
Published at:
Updated at:

References

Link Tags
https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-954c-jjx6-cxv7 third party advisory
https://github.com/auth0/nextjs-auth0/commit/6996e2528ceed98627caa28abafbc09e90163ccf third party advisory patch
https://www.npmjs.com/package/%40auth0/nextjs-auth0

Frequently Asked Questions

What is the severity of CVE-2021-32702?
CVE-2021-32702 has been scored as a high severity vulnerability.
How to fix CVE-2021-32702?
To fix CVE-2021-32702, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-32702 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-32702 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-32702?
CVE-2021-32702 affects auth0 nextjs-auth0.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.