Description
An input-validation flaw in the returnTo parameter in the Auth0 Next.js SDK could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters
Recommendation
Update the @auth0/nextjs-auth0 package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.9.0, < 4.13.0
- Patched version(s): 4.13.0
References
Related Issues
- Improper Request Caching Lookup in the Auth0 Next.js SDK - CVE-2025-67490
- NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies - CVE-2025-48947
- Auth0 NextJS SDK v4 Missing Session Invalidation - CVE-2025-46344
- matrix-js-sdk has insufficient validation when considering a room to be upgraded by another - CVE-2025-59160
- Tags:
- npm
- @auth0/nextjs-auth0
Anything's wrong? Let us know Last updated on December 11, 2025