CVE-2021-32702 – @auth0/nextjs-auth0

Package

Manager: npm
Name: @auth0/nextjs-auth0
Vulnerable Version: >=0 <1.4.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

EPSS: 0.00581 pctl0.67949

Details

Reflected XSS from the callback handler's error query parameter ### Overview Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then processed by the callback handler as an error message. ### Am I affected? You are affected by this vulnerability if you are using `@auth0/nextjs-auth0` version `1.4.1` or lower **unless** you are using custom error handling that does not return the error message in an HTML response. ### How to fix that? Upgrade to version `1.4.2`. ### Will this update impact my users? The fix adds basic HTML escaping to the error message and it should not impact your users. ### Credit https://github.com/inian https://github.com/git-ishanpatel

Metadata

Created: 2021-06-28T16:46:41Z
Modified: 2021-06-28T19:06:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-954c-jjx6-cxv7/GHSA-954c-jjx6-cxv7.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-954c-jjx6-cxv7
Finding: F008
Auto approve: 1