From 5725b07d0facff25656871af57d6da351a4cab0d Mon Sep 17 00:00:00 2001
From: Tushar Pandey <tushar.pandey@okta.com>
Date: Mon, 17 Nov 2025 10:09:50 +0530
Subject: [PATCH 1/2] docs: correct attribution in changelog for security fix

Credit Joshua Rogers (@MegaManSec) as the original author who
discovered and fixed the OAuth parameter injection vulnerability
in PR #2381.

This corrects an attribution error in PR #2413 where the commit
message incorrectly credited a different person.
---
 CHANGELOG.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index af553932..ae3037a6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Change Log
 
+## [Unreleased](https://github.com/auth0/nextjs-auth0/tree/HEAD)
+
+**Security**
+- Prevent OAuth parameter injection via returnTo parameter [\#2413](https://github.com/auth0/nextjs-auth0/pull/2413)
+  - Security issue discovered and fixed by **Joshua Rogers ([@MegaManSec](https://github.com/MegaManSec))** in [\#2381](https://github.com/auth0/nextjs-auth0/pull/2381)
+  - Added comprehensive unit test coverage
+  - URL encodes returnTo parameter to prevent injection of OAuth parameters
+
 ## [v4.12.1](https://github.com/auth0/nextjs-auth0/tree/v4.12.1) (2025-11-13)
 [Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v4.12.0...v4.12.1)
 

From 5d4a27b0621f23b8ceeafdef19fa4101f8e90ae7 Mon Sep 17 00:00:00 2001
From: Tushar Pandey <tushar.pandey@okta.com>
Date: Mon, 17 Nov 2025 10:14:25 +0530
Subject: [PATCH 2/2] docs: update changelog

---
 CHANGELOG.md | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ae3037a6..986796e4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,10 +3,7 @@
 ## [Unreleased](https://github.com/auth0/nextjs-auth0/tree/HEAD)
 
 **Security**
-- Prevent OAuth parameter injection via returnTo parameter [\#2413](https://github.com/auth0/nextjs-auth0/pull/2413)
-  - Security issue discovered and fixed by **Joshua Rogers ([@MegaManSec](https://github.com/MegaManSec))** in [\#2381](https://github.com/auth0/nextjs-auth0/pull/2381)
-  - Added comprehensive unit test coverage
-  - URL encodes returnTo parameter to prevent injection of OAuth parameters
+- Prevent OAuth parameter injection via returnTo parameter [\#2413](https://github.com/auth0/nextjs-auth0/pull/2413) (Clone of #2381 by [MegaManSec](https://github.com/MegaManSec))
 
 ## [v4.12.1](https://github.com/auth0/nextjs-auth0/tree/v4.12.1) (2025-11-13)
 [Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v4.12.0...v4.12.1)