Inian

**Name of the Vulnerable Software and Affected Versions** @auth0/nextjs-auth0 versions prior to 1.4.2 **Description** The issue concerns a reflected XSS vulnerability. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter, which is then processed by the callback handler as an error message. Users are affected if they are using @auth0/nextjs-auth0 version 1.4.1 or lower, unless they are using custom error handling that does not return the error message in an HTML response. **Recommendations** Upgrade to version 1.4.2 to resolve the issue. The fix adds basic HTML escaping to the error message. As a temporary workaround, consider using custom error handling that does not return the error message in an HTML response to minimize the risk of exploitation.