High severityNVD Advisory· Published Jun 4, 2025· Updated Apr 15, 2026

CVE-2025-48947

Description

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, __session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be met in order for someone to be affected by the vulnerability: Applications using the NextJS-Auth0 SDK, versions between 4.0.1 to 4.6.0, applications using CDN or edge caching that caches responses with the Set-Cookie header, and if the Cache-Control header is not properly set for sensitive responses. Users should upgrade auth0/nextjs-auth0 to v4.6.1 to receive a patch.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@auth0/nextjs-auth0npm	>= 4.0.1, < 4.6.1	4.6.1

Patches

1f04fa3ce541

https://github.com/auth0/nextjs-auth0via osv

12a62ca596db

Merge commit from fork

https://github.com/auth0/nextjs-auth0kelvinzhu-oktaJun 4, 2025via ghsa

commit

3 files changed · +44 −3

src/server/auth-client.ts+8 −2 modified

@@ -32,6 +32,7 @@ import {
   removeTrailingSlash
 } from "../utils/pathUtils";
 import { toSafeRedirect } from "../utils/url-helpers";
+import { addCacheControlHeadersForSession } from "./cookies";
 import { AbstractSessionStore } from "./session/abstract-session-store";
 import { TransactionState, TransactionStore } from "./transaction-store";
 import { filterClaims } from "./user";
@@ -296,6 +297,7 @@ export class AuthClient {
         await this.sessionStore.set(req.cookies, res.cookies, {
           ...session
         });
+        addCacheControlHeadersForSession(res);
       }
 
       return res;
@@ -441,6 +443,7 @@ export class AuthClient {
 
     const res = NextResponse.redirect(url);
     await this.sessionStore.delete(req.cookies, res.cookies);
+    addCacheControlHeadersForSession(res);
 
     // Clear any orphaned transaction cookies
     await this.transactionStore.deleteAll(req.cookies, res.cookies);
@@ -567,6 +570,7 @@ export class AuthClient {
     }
 
     await this.sessionStore.set(req.cookies, res.cookies, session, true);
+    addCacheControlHeadersForSession(res);
     await this.transactionStore.delete(res.cookies, state);
 
     return res;
@@ -580,8 +584,9 @@ export class AuthClient {
         status: 401
       });
     }
-
-    return NextResponse.json(session?.user);
+    const res = NextResponse.json(session?.user);
+    addCacheControlHeadersForSession(res);
+    return res;
   }
 
   async handleAccessToken(req: NextRequest): Promise<NextResponse> {
@@ -631,6 +636,7 @@ export class AuthClient {
         ...session,
         tokenSet: updatedTokenSet
       });
+      addCacheControlHeadersForSession(res);
     }
 
     return res;

src/server/cookies.test.ts+16 −1 modified

@@ -1,7 +1,8 @@
+import { NextResponse } from "next/server";
 import { describe, expect, it } from "vitest";
 
 import { generateSecret } from "../test/utils";
-import { decrypt, encrypt } from "./cookies";
+import { addCacheControlHeadersForSession, decrypt, encrypt } from "./cookies";
 
 describe("encrypt/decrypt", async () => {
   const secret = await generateSecret(32);
@@ -53,3 +54,17 @@ describe("encrypt/decrypt", async () => {
     await expect(() => decrypt(encrypted, "")).rejects.toThrowError();
   });
 });
+
+describe("addCacheControlHeadersForSession", () => {
+  it("unconditionally adds strict cache headers", () => {
+    const res = NextResponse.next();
+
+    addCacheControlHeadersForSession(res);
+
+    expect(res.headers.get("Cache-Control")).toBe(
+      "private, no-cache, no-store, must-revalidate, max-age=0"
+    );
+    expect(res.headers.get("Pragma")).toBe("no-cache");
+    expect(res.headers.get("Expires")).toBe("0");
+  });
+});

src/server/cookies.ts+20 −0 modified

@@ -1,3 +1,4 @@
+import { NextResponse } from "next/server";
 import {
   RequestCookie,
   RequestCookies,
@@ -329,3 +330,22 @@ export function deleteChunkedCookie(
     resCookies.delete(cookie.name); // Delete each filtered cookie
   });
 }
+
+/**
+ * Unconditionally adds strict cache-control headers to the response.
+ *
+ * This ensures the response is not cached by CDNs or other shared caches.
+ * It is now the caller's responsibility to decide when to call this function.
+ *
+ * Usage:
+ * Call this function whenever a `Set-Cookie` header is being written
+ * for session management or any other sensitive data that must not be cached.
+ */
+export function addCacheControlHeadersForSession(res: NextResponse): void {
+  res.headers.set(
+    "Cache-Control",
+    "private, no-cache, no-store, must-revalidate, max-age=0"
+  );
+  res.headers.set("Pragma", "no-cache");
+  res.headers.set("Expires", "0");
+}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-f3fg-mf2q-fj3fghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-48947ghsaADVISORY
github.com/auth0/nextjs-auth0/commit/12a62ca596db3b0827b39a4b865b882423e7cb1eghsaWEB
github.com/auth0/nextjs-auth0/security/advisories/GHSA-f3fg-mf2q-fj3fnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000