Login Sign Up

CVE-2025-67490

5.4 MEDIUM
Authentication Bypass

📋 TL;DR

The Auth0 Next.js SDK vulnerability allows simultaneous requests from the same client to cause improper token cache lookups, potentially leading to authentication failures or incorrect token handling. This affects Next.js applications using Auth0 SDK versions 4.11.0-4.11.2 and 4.12.0 for user authentication.

💻 Affected Systems

Products:
  • Auth0 Next.js SDK
Versions: 4.11.0 through 4.11.2 and 4.12.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using the TokenRequestCache functionality with concurrent requests from the same client.

📦 What is this software?

Nextjs Auth0 by Auth0

View all CVEs affecting Nextjs Auth0 →

Nextjs Auth0 by Auth0

View all CVEs affecting Nextjs Auth0 →

Nextjs Auth0 by Auth0

View all CVEs affecting Nextjs Auth0 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authentication failures causing user lockouts or incorrect authorization decisions, potentially allowing unauthorized access to protected resources.

🟠

Likely Case

Intermittent authentication failures or incorrect token responses during high-concurrency scenarios, disrupting user sessions.

🟢

If Mitigated

Minor performance degradation or occasional authentication hiccups that don't compromise security.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires simultaneous requests from the same authenticated client to trigger the cache lookup issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.11.2 or 4.12.1

Vendor Advisory: https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-wcgj-f865-c7j7

Restart Required: Yes

Instructions:

1. Update package.json to use @auth0/nextjs-auth0 version 4.11.2 or 4.12.1. 2. Run npm update @auth0/nextjs-auth0 or yarn upgrade @auth0/nextjs-auth0. 3. Restart your Next.js application server.

🔧 Temporary Workarounds

Rate limiting per client

all

Implement client-side rate limiting to reduce simultaneous requests from the same user

Disable token caching temporarily

all

Configure the SDK to bypass TokenRequestCache for critical authentication flows

🧯 If You Can't Patch

  • Implement additional authentication validation layers
  • Monitor authentication logs for unusual patterns and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check package.json for @auth0/nextjs-auth0 version: if version is 4.11.0, 4.11.1, 4.11.2, or 4.12.0, you are vulnerable.

Check Version:

npm list @auth0/nextjs-auth0

Verify Fix Applied:

Verify package.json shows @auth0/nextjs-auth0 version 4.11.2 or 4.12.1, then test concurrent authentication requests from the same user.

📡 Detection & Monitoring

Log Indicators:

  • Multiple authentication failures for same user within short timeframes
  • Token validation errors with cache-related messages

Network Indicators:

  • Unusual patterns of simultaneous authentication requests from single clients

SIEM Query:

source="auth0-logs" AND (error="token_cache" OR error="authentication_failure") | stats count by user_id

📊 Metadata

CVE ID: CVE-2025-67490
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
CWE: CWE-863
EPSS Score: 0.06% exploit probability (17.9th percentile)
Published: December 10, 2025
Last Updated: March 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67490, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)