Description
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if their project uses both the vulnerable versions and the proxy handler /me/* and /my-org/* with DPoP enabled. This issue has been fixed in version 4.18.0.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-xq8m-7c5p-c2r6
X_Refsource_Misc x_refsource_misc
https://github.com/auth0/nextjs-auth0/commit/98c36dc306970c2230ea1a32efef431d29b99978
X_Refsource_Misc x_refsource_misc
https://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0
Scores
CVSS v3
5.4
EPSS
0.0021
EPSS Percentile
11.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-362
CWE-863
Status
published
Products (3)
auth0/nextjs-auth0
4.12.0 - 4.18.0npm
auth0/nextjs-auth0
4.12.0 - 4.18.0
auth0/nextjs-auth0
>= 4.12.0, < 4.18.0
Published
Apr 17, 2026
Tracked Since
Apr 18, 2026