Description
An input-validation flaw in the returnTo parameter in the Auth0 Next.js SDK could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters
Recommendation
Update the @auth0/nextjs-auth0 package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.9.0, < 4.13.0
- Patched version(s): 4.13.0
References
Related Issues
- Maker.js has Unsafe Property Copying in makerjs.extendObject - CVE-2026-24888
- Improper Request Caching Lookup in the Auth0 Next.js SDK - CVE-2025-67490
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- @digitalocean/do-markdownit has Type Confusion vulnerability - CVE-2025-59717
- Tags:
- npm
- @auth0/nextjs-auth0
Anything's wrong? Let us know Last updated on December 11, 2025