npm package
@auth0/nextjs-auth0
pkg:npm/%40auth0/nextjs-auth0
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40155 | Med | 5.4 | >= 4.12.0, < 4.18.0 | 4.18.0 | Apr 17, 2026 | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users | |
| CVE-2025-67716 | — | >= 4.9.0, < 4.13.0 | 4.13.0 | Dec 11, 2025 | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 author | ||
| CVE-2025-67490 | — | >= 4.11.0, < 4.11.2 | 4.11.2 | Dec 10, 2025 | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This is | ||
| CVE-2025-48947 | Hig | — | >= 4.0.1, < 4.6.1 | 4.6.1 | Jun 4, 2025 | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, `__session` cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be | |
| CVE-2025-46344 | Med | — | >= 4.0.1, < 4.5.1 | 4.5.1 | Apr 29, 2025 | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expi | |
| CVE-2021-43812 | — | < 1.6.2 | 1.6.2 | Dec 16, 2021 | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before 1.6.2 do not filter out certain returnTo parameter values from the login url, which expose the application to an open redirect vulnerability. Users are advised to upgr | ||
| CVE-2021-32702 | — | < 1.4.2 | 1.4.2 | Jun 25, 2021 | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then |
- affected >= 4.12.0, < 4.18.0fixed 4.18.0
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users
- CVE-2025-67716Dec 11, 2025affected >= 4.9.0, < 4.13.0fixed 4.13.0
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 author
- CVE-2025-67490Dec 10, 2025affected >= 4.11.0, < 4.11.2fixed 4.11.2
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This is
- affected >= 4.0.1, < 4.6.1fixed 4.6.1
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, `__session` cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be
- affected >= 4.0.1, < 4.5.1fixed 4.5.1
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expi
- CVE-2021-43812Dec 16, 2021affected < 1.6.2fixed 1.6.2
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before 1.6.2 do not filter out certain returnTo parameter values from the login url, which expose the application to an open redirect vulnerability. Users are advised to upgr
- CVE-2021-32702Jun 25, 2021affected < 1.4.2fixed 1.4.2
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then