docs: correct attribution in changelog for security fix

tusharpandey13 · tusharpandey13 · commit 5725b07d0fac · 2025-11-17T10:09:50.000+05:30
Credit Joshua Rogers (@MegaManSec) as the original author who discovered and fixed the OAuth parameter injection vulnerability in PR #2381. This corrects an attribution error in PR #2413 where the commit message incorrectly credited a different person.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Change Log
 
+## [Unreleased](https://github.com/auth0/nextjs-auth0/tree/HEAD)
+
+**Security**
+- Prevent OAuth parameter injection via returnTo parameter [\#2413](https://github.com/auth0/nextjs-auth0/pull/2413)
+  - Security issue discovered and fixed by **Joshua Rogers ([@MegaManSec](https://github.com/MegaManSec))** in [\#2381](https://github.com/auth0/nextjs-auth0/pull/2381)
+  - Added comprehensive unit test coverage
+  - URL encodes returnTo parameter to prevent injection of OAuth parameters
+
 ## [v4.12.1](https://github.com/auth0/nextjs-auth0/tree/v4.12.1) (2025-11-13)
 [Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v4.12.0...v4.12.1)
 
