CVE-2025-67490 - Vulnerability Details - OpenCVE

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Auth0	Nextjs-auth0

No data.

No data.

References

Link	Providers
https://github.com/auth0/nextjs-auth0/commit/26cc8a7c60f4b134700912736f991a25bd6bbf0b
https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-wcgj-f865-c7j7

History

Thu, 11 Dec 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 11 Dec 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Auth0 Auth0 nextjs-auth0
Vendors & Products		Auth0 Auth0 nextjs-auth0

Wed, 10 Dec 2025 22:30:00 +0000

Type	Values Removed	Values Added
Description		The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1.
Title		Auth0 Next.js SDK has Improper Request Caching Lookup
Weaknesses		CWE-863
References		https://github.com/auth0/nextjs-auth0/commit/26cc8a7c60f4b134700912736f991a25bd6bbf0b https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-wcgj-f865-c7j7
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-12-10T22:16:08.262Z

Updated: 2025-12-11T15:38:34.314Z

Reserved: 2025-12-08T18:49:47.486Z

Link: CVE-2025-67490

Vulnrichment

Updated: 2025-12-11T15:38:29.915Z

NVD

Status : Awaiting Analysis

Published: 2025-12-10T23:15:48.503

Modified: 2025-12-12T15:18:13.390

Link: CVE-2025-67490

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67490", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-08T18:49:47.486Z", "datePublished": "2025-12-10T22:16:08.262Z", "dateUpdated": "2025-12-11T15:38:34.314Z"}, "containers": {"cna": {"title": "Auth0 Next.js SDK has Improper Request Caching Lookup", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-wcgj-f865-c7j7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-wcgj-f865-c7j7"}, {"name": "https://github.com/auth0/nextjs-auth0/commit/26cc8a7c60f4b134700912736f991a25bd6bbf0b", "tags": ["x_refsource_MISC"], "url": "https://github.com/auth0/nextjs-auth0/commit/26cc8a7c60f4b134700912736f991a25bd6bbf0b"}], "affected": [{"vendor": "auth0", "product": "nextjs-auth0", "versions": [{"version": ">= 4.12.0, < 4.12.1", "status": "affected"}, {"version": ">= 4.11.0, < 4.11.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-10T22:16:08.262Z"}, "descriptions": [{"lang": "en", "value": "The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1."}], "source": {"advisory": "GHSA-wcgj-f865-c7j7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-11T15:38:23.260812Z", "id": "CVE-2025-67490", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-11T15:38:34.314Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67490", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-11T15:38:23.260812Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-11T15:38:29.915Z"}}], "cna": {"title": "Auth0 Next.js SDK has Improper Request Caching Lookup", "source": {"advisory": "GHSA-wcgj-f865-c7j7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "auth0", "product": "nextjs-auth0", "versions": [{"status": "affected", "version": ">= 4.12.0, < 4.12.1"}, {"status": "affected", "version": ">= 4.11.0, < 4.11.2"}]}], "references": [{"url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-wcgj-f865-c7j7", "name": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-wcgj-f865-c7j7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/auth0/nextjs-auth0/commit/26cc8a7c60f4b134700912736f991a25bd6bbf0b", "name": "https://github.com/auth0/nextjs-auth0/commit/26cc8a7c60f4b134700912736f991a25bd6bbf0b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-10T22:16:08.262Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67490", "state": "PUBLISHED", "dateUpdated": "2025-12-11T15:38:34.314Z", "dateReserved": "2025-12-08T18:49:47.486Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-12-10T22:16:08.262Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}