CVE-2025-67716

MEDIUM

Auth0 Next.js SDK <4.13.0 - Info Disclosure

Title source: llm

Description

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters. This issue is fixed in version 4.13.0.

References (2)

[Vendor Advisory] https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-mr6f-h57v-rpj5

[Patch] https://github.com/auth0/nextjs-auth0/commit/35eb321de3345ccf23e8c0d6f66c9f2f2f57d26c

View Patch ZIP pw:eip

Scores

CVSS v3 5.7

EPSS 0.0008

EPSS Percentile 22.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-184

Status published

Products (2)

auth0/nextjs-auth0 4.9.0 - 4.12.1

auth0/nextjs-auth0 4.9.0 - 4.13.0npm

Published Dec 11, 2025

Tracked Since Feb 18, 2026