> ## Documentation Index > Fetch the complete documentation index at: https://auth0.com/llms.txt > Use this file to discover all available pages before exploring further. > CVE-2021-32641: Security Update for Auth0 Lock Library # CVE-2021-32641: Security Update for Auth0 Lock Library **Published**: June 4, 2021 **CVE number**: CVE-2021-32641 ## Overview Versions before and including `11.30.0` are vulnerable to a reflected XSS. An attacker can execute arbitrary code when either: * The library's `flashMessage` feature is used and user input or data from URL parameters is incorporated into the `flashMessage`. Or * The library's `languageDictionary` feature is used and user input or data from URL parameters is incorporated into the `languageDictionary`. ## Am I affected? This vulnerability affects you if your implementation fits either of these descriptions: ### flashMessage vulnerability If all of these conditions are true, you're vulnerable: * You use `auth0-lock` version `11.30.0` or older. * You use the `flashMessage` feature. * User input or data from URL parameters is incorporated into the `flashMessage`. This is an example of a vulnerable snippet where query parameters are used to populate the `text` property of a `flashMessage`: ```javascript lines theme={null} var params = new URLSearchParams(location.search); var errorMessage = params.get('error__message'); var showParams = {}; if (!!errorMessage === true) { showParams.flashMessage = { type: 'error', text: 'We were unable to log you in. ' + errorMessage, }; } lock.show(showParams); ``` ### languageDictionary vulnerability If all of these conditions are true, you're vulnerable: * You use `auth0-lock` version `11.30.0` or older. * You use the `languageDictionary` feature. * User input or data from URL parameters is used in `languageDictionary` properties. This is an example of a vulnerable snippet that uses query parameters to populate the `socialLoginInstructions` property of a `languageDictionary`: ```javascript lines theme={null} var params = new URLSearchParams(location.search); var instruction = params.get('instruction'); var options = { languageDictionary: { emailInputPlaceholder: "something@youremail.com", title: "title", socialLoginInstructions: instruction }, }; var lock = new Auth0LockPasswordless( CLIENT_ID, DOMAIN, options ); lock.show(); ``` ## How to fix that? Upgrade to `auth0-lock` version `11.30.1`. ## Will this update impact my users? The fix uses [DOMPurify](https://github.com/cure53/DOMPurify) to sanitize the `flashMessage` and `languageDictionary` inputs. It removes any JavaScript in these fields, such as `script` tags or `onclick` attributes.