CVE-2021-32702 HIGH

CVE-2021-32702: Reflected XSS from the callback handler's error query parameter

Vendor Auth0
Product nextjs-auth0
Weakness CWE-79 · XSS
Published June 25, 2021
Last update August 3, 2024
View on NVD All CVEs

CVSS base score

8.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then processed by the callback handler as an error message. You are affected by this vulnerability if you are using `@auth0/nextjs-auth0` version `1.4.1` or lower **unless** you are using custom error handling that does not return the error message in an HTML response. Upgrade to version `1.4.1` to resolve. The fix adds basic HTML escaping to the error message and it should not impact your users.

Key dates

02Disclosure timeline

June 25, 2021 CVE published
August 3, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-27176 MajorDoMo Reflected Cross-Site Scripting in command.php CVE-2023-45602 WordPress Ebook Store Plugin <= 5.785 is vulnerable to Cross Site Scripting (XSS) CVE-2024-36221 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2025-23549 WordPress Maniac SEO plugin <= 2.0 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-66067 WordPress Funnel Builder by FunnelKit plugin <= 3.13.1.2 - Cross Site Scripting (XSS) vulnerability