Improper Validation of Query Parameters in Auth0 Next.js SDK

Severity:: Low

Description

An input-validation flaw in the returnTo parameter in the Auth0 Next.js SDK could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters

Recommendation

Update the @auth0/nextjs-auth0 package to the latest compatible version. Followings are version details:

Affected version(s): >= 4.9.0, < 4.13.0
Patched version(s): 4.13.0

References

GHSA-mr6f-h57v-rpj5
CVE-2025-67716
CWE-184
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Improper Request Caching Lookup in the Auth0 Next.js SDK - CVE-2025-67490
Auth0 Next.js SDK has Improper Proxy Cache Lookup - CVE-2026-40155
Auth0 NextJS SDK v4 Missing Session Invalidation - CVE-2025-46344
NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies - CVE-2025-48947

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; @auth0/nextjs-auth0

Anything's wrong? Let us know Last updated on December 11, 2025