logo

Database

Authentication mechanism absence or evasion In @auth0/nextjs-auth0

Description

Improper Request Caching Lookup in the Auth0 Next.js SDK

Description

When using affected versions of the Next.js SDK, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results.

Am I Affected?

You are affected if you meet the following preconditions:

    Applications using the auth0/nextjs-auth0 SDK with a singleton client instance, versions 4.11.0, 4.11.1, and 4.12.0.

Affected product and versions

Auth0/nextjs-auth0 v4.11.0, v4.11.1, and v4.12.0.

Resolution

Upgrade Auth0/nextjs-auth0 version to v4.11.2 or v4.12.1

Acknowledgements

Okta would like to thank Joshua Rogers (MegaManSec) for their discovery and responsible disclosure.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-674902. NVD-2025-674903. OSV-2025-674904. GHSA-wcgj-f865-c7j75. GCVE-2025-67490

References

1. https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-wcgj-f865-c7j72. https://github.com/auth0/nextjs-auth0/commit/26cc8a7c60f4b134700912736f991a25bd6bbf0b

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.