CVE-2021-32641

HIGH8.1EPSS 0.79%

Reflected XSS when using flashMessages or languageDictionary

Published: 6/4/2021Modified: 3/13/2026

Description

### Overview Versions before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's - `flashMessage` feature is utilized and user input or data from URL parameters is incorporated into the `flashMessage`. - `languageDictionary` feature is utilized and user input or data from URL parameters is incorporated into the `languageDictionary`. ### Am I affected? You are affected by this vulnerability if you are using `auth0-lock` version `11.30.0` or lower and all of the following conditions apply: - You are utilizing `flashMessage` feature. - User input or data from URL parameters is incorporated into the `flashMessage`. An example of a vulnerable snippet where query parameters are used to populate the `text` property of a `flashMessage`. ```js var params = new URLSearchParams(location.search); var errorMessage = params.get('error__message'); var showParams = {}; if (!!errorMessage === true) { showParams.flashMessage = { type: 'error', text: 'We were unable to log you in. ' + errorMessage, }; } lock.show(showParams); ``` OR - You are utilizing `languageDictionary` feature. - User input or data from URL parameters is used in `languageDictionary` properties. An example of a vulnerable snippet where query parameters are used to populate the `socialLoginInstructions` property of a `languageDictionary`. ```js var params = new URLSearchParams(location.search); var instruction = params.get('instruction'); var options = { languageDictionary: { emailInputPlaceholder: "[email protected]", title: "title", socialLoginInstructions: instruction }, }; var lock = new Auth0LockPasswordless( CLIENT_ID, DOMAIN, options ); lock.show() ``` ### How to fix that? Upgrade to version `11.30.1`. ### Will this update impact my users? The fix uses [DOMPurify](https://github.com/cure53/DOMPurify) to sanitise the `flashMessage` and `languageDictionary` inputs. If you are including inline JavaScript in these fields, like `script` tags or `onclick` attributes, these will be removed.

Affected packages (1)

npm/auth0-lockfrom 0, < 11.30.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Affected packages (1)

CVSS scores

References (4)