Description
When using affected versions of the Next.js SDK, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results.
Recommendation
Update the @auth0/nextjs-auth0 package to the latest compatible version. Followings are version details:
Affected version(s): **>= 4.12.0, < 4.12.1 >= 4.11.0, < 4.11.2** Patched version(s): **4.12.1 4.11.2**
References
Related Issues
- Improper Validation of Query Parameters in Auth0 Next.js SDK - CVE-2025-67716
- authkit-nextjs may let session cookies be cached in CDNs - CVE-2025-64762
- @perfood/couch-auth may expose session tokens, passwords - CVE-2025-60794
- NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies - CVE-2025-48947
- Tags:
- npm
- @auth0/nextjs-auth0
Anything's wrong? Let us know Last updated on December 11, 2025