/api/auth/signout reflects injected script in response body

[abentley-castera]

Hello,

I'm trying to remediate a security vulnerability in my app picked up from a burp scanner report. My app is using KeyCloak as the authentication provider with NextAuth, and the scanner report is showing that injected scripts provided in the callbackUrl request field are being reflected back on the response body url field. For example, if I make the following call:

POST http://localhost:3000/api/auth/signout
Content-Type: application/x-www-form-urlencoded
csrfToken: 724cd...
callbackUrl: /api/auth/logout?actid=<authentication-token>ob9nh%3cscript%3ealert(1)%3c%2fscript%3ewlhc2&json=true # injected script at the end here
json: true

I am seeing the injected script in the response body:

{
    "url": "http://localhost:3000/api/auth/logout?actid=<authentication-token>ob9nh%3cscript%3ealert(1)%3c%2fscript%3ewlhc2&json=true" # injected script reflect back on response body response
}

This seems like a security vulnerabiliy as any arbitrary script could be injected here and is returned back to the caller. What is the proper means to resolve this issue? Is there anything I can add in my app to prevent this from happening on a direct call to /api/auth/signout, or does something need to be remediated within the NextAuth libary?