CVE-2021-32702— Reflected XSS from the callback handler's error query parameter
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-32702
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Reflected XSS from the callback handler's error query parameter
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then processed by the callback handler as an error message. You are affected by this vulnerability if you are using `@auth0/nextjs-auth0` version `1.4.1` or lower **unless** you are using custom error handling that does not return the error message in an HTML response. Upgrade to version `1.4.1` to resolve. The fix adds basic HTML escaping to the error message and it should not impact your users.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Auth0 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Auth0是是一个身份验证代理,支持社会和企业身份提供者,包括Active Directory、LDAP、谷歌Apps和Salesforce。 Auth0 Next.js SDK 存在跨站脚本漏洞,该漏洞源于1.4.1及之前版本容易受到反射XSS的影响。攻击者可利用该漏洞可以通过在error查询参数中提供XSS有效负载来执行任意代码,然后由回调处理程序将其作为错误消息处理。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| auth0 | nextjs-auth0 | < 1.4.2 | - |
II. Public POCs for CVE-2021-32702
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 6264 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2021-32702
请登录查看更多情报信息。
- https://www.npmjs.com/package/%40auth0/nextjs-auth0x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2021-32702
IV. Related Vulnerabilities
Same product: nextjs-auth0
- CVE-2026-40155
Auth0 Next.js SDK has Improper Proxy Cache Lookup - CVE-2025-67716
Auth0 Next.js SDK has Improper Validation of Query Parameter - CVE-2025-67490
Auth0 Next.js SDK has Improper Request Caching Lookup - CVE-2025-48947
NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookie - CVE-2025-46344
Auth0 NextJS SDK v4 Missing Session Invalidation
Same vendor: auth0
- CVE-2026-40155
Auth0 Next.js SDK has Improper Proxy Cache Lookup - CVE-2026-34236
Auth0 PHP SDK Insufficient Entropy in Cookie Encryption - CVE-2025-68129
Auth0-PHP SDK has Improper Audience Validation - CVE-2025-67716
Auth0 Next.js SDK has Improper Validation of Query Parameter - CVE-2025-67490
Auth0 Next.js SDK has Improper Request Caching Lookup
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2021-32702
No comments yet