logo

Database

Lack of data validation In @auth0/nextjs-auth0

Description

Improper Validation of Query Parameters in Auth0 Next.js SDK

Description

An input-validation flaw in the returnTo parameter in the Auth0 Next.js SDK could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters

Am I Affected?

You are affected if you meet the following preconditions:

    Applications using the auth0/nextjs-auth0 SDK version prior to 4.13.0

Affected product and versions

Auth0/nextjs-auth0 versions >= 4.9.0 and < 4.13.0

Resolution

Upgrade Auth0/nextjs-auth0 version to v4.13.0

Acknowledgements

Okta would like to thank Joshua Rogers (MegaManSec) for their discovery and responsible disclosure.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-677162. NVD-2025-677163. OSV-2025-677164. GHSA-mr6f-h57v-rpj55. GCVE-2025-67716

References

1. https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-mr6f-h57v-rpj52. https://github.com/auth0/nextjs-auth0/commit/35eb321de3345ccf23e8c0d6f66c9f2f2f57d26c

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.