CVE-2025-67490 PUBLISHED

Auth0 Next.js SDK has Improper Request Caching Lookup

Assigner: GitHub_M
Reserved: 08.12.2025 Published: 10.12.2025 Updated: 11.12.2025

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
CVSS Score: 5.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	auth0
Product	nextjs-auth0
Versions	Version >= 4.12.0, < 4.12.1 is affected Version >= 4.11.0, < 4.11.2 is affected

References

https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-wcgj-f865-c7j7
https://github.com/auth0/nextjs-auth0/commit/26cc8a7c60f4b134700912736f991a25bd6bbf0b

Problem Types

CWE-863: Incorrect Authorization CWE