> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> CVE-2021-32702: Security Update for Auth0 Next.js Library

# CVE-2021-32702: Security Update for Auth0 Next.js Library

**Published**: June 23, 2021

**CVE number**: `CVE-2021-32702`

## Overview

Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then processed by the callback handler as an error message.

## Am I affected?

You are affected by this vulnerability if you are using `@auth0/nextjs-auth0` version `1.4.1` or lower **unless** you are using custom error handling that does not return the error message in an HTML response.

### How to fix that?

Upgrade to version `1.4.2`.

### Will this update impact my users?

The fix adds basic HTML escaping to the error message and it should not impact your users.

### Credit

[https://github.com/inian](https://github.com/inian)