CVE-2025-48947 – @auth0/nextjs-auth0

Package

Manager: npm
Name: @auth0/nextjs-auth0
Vulnerable Version: >=4.0.1 <4.6.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

EPSS: 0.00091 pctl0.26773

Details

NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies **Overview** In Auth0 Next.js SDK versions 4.0.1 to 4.6.0, __session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. **Am I Affected?** You are affected by this vulnerability if you meet the following preconditions: 1. Applications using the NextJS-Auth0 SDK, versions between 4.0.1 to 4.6.0, 2. Applications using CDN or edge caching that caches responses with the Set-Cookie header. 3. If the Cache-Control header is not properly set for sensitive responses. **Fix** Upgrade auth0/nextjs-auth0 to v4.6.1.

Metadata

Created: 2025-06-04T21:24:52Z
Modified: 2025-06-04T22:57:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-f3fg-mf2q-fj3f/GHSA-f3fg-mf2q-fj3f.json
CWE IDs: ["CWE-525"]
Alternative ID: GHSA-f3fg-mf2q-fj3f
Finding: F065
Auto approve: 1