PT-2026-33516

Name of the Vulnerable Software and Affected Versions Auth0 Next.js SDK versions 4.12.0 through 4.17.1 Description Simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for token request results. This occurs when projects use the proxy...

CVE-2025-67490

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in...

CVE-2025-67716

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request...

EUVD-2025-202629

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request...

CVE-2025-67716 Auth0 Next.js SDK has Improper Validation of Query Parameters

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request...

CVE-2025-67716 Auth0 Next.js SDK has Improper Validation of Query Parameters

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request...

CVE-2025-67490

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in...

Improper Validation of Query Parameters in Auth0 Next.js SDK

Description An input-validation flaw in the returnTo parameter in the Auth0 Next.js SDK could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters Am I Affected? You a...

EUVD-2021-1297

Malware in sbrugna...

CVE-2025-48947

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be met in order for...

CVE-2025-48947

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be met in order for...

CVE-2025-48947

The CVE describes a vulnerability in the Auth0 Next.js SDK (auth0/nextjs-auth0) affecting versions 4.0.1–4.6.0 where __session cookies set by auth0.middleware can be cached by CDNs due to missing Cache-Control headers. Preconditions require: (1) use of the NextJS-Auth0 SDK, (2) CDN/edge caching o...

CVE-2025-48947 NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be met in order for...

PT-2025-23857 · Auth0 · Auth0 Next.Js Sdk

Name of the Vulnerable Software and Affected Versions: Auth0 Next.js SDK versions 4.0.1 through 4.6.0 Description: The issue concerns the caching of session cookies set by auth0.middleware in CDN environments due to missing Cache-Control headers. Three preconditions must be met for the...

CVE-2021-43812

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before 1.6.2 do not filter out certain returnTo parameter values from the login url, which expose the application to an open redirect vulnerability. Users are advised to upgrade as soon as...

CVE-2021-32702

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including 1.4.1 are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the error query parameter which is then processed by the...

CVE-2025-46344

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke .setExpirationTime when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While...

CVE-2025-46344 Auth0 NextJS SDK v4 Missing Session Invalidation

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke .setExpirationTime when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While...

CVE-2025-46344

Summary of affected component: Auth0 Next.js SDK (nextjs-auth0), version range 4.0.1 through 4.5.0. Root cause: When generating a JWE token for the session, the code does not invoke .setExpirationTime, so the JWE lacks an internal expiration claim; session cookies may expire, but the JWE remains ...

CVE-2025-46344 Auth0 NextJS SDK v4 Missing Session Invalidation

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke .setExpirationTime when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While...