CVE-2025-67716
📋 TL;DR
The Auth0 Next.js SDK versions 4.9.0 through 4.12.1 have an input validation flaw in the returnTo parameter that allows attackers to inject malicious OAuth query parameters into authorization requests. This could lead to tokens being issued with unintended parameters, potentially compromising authentication flows. All Next.js applications using these vulnerable SDK versions are affected.
💻 Affected Systems
- Auth0 Next.js SDK
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate OAuth flows to obtain tokens with elevated privileges, redirect users to malicious sites, or bypass authentication controls entirely.
Likely Case
Attackers could inject parameters to modify token scopes, redirect users to phishing sites after authentication, or tamper with OAuth state parameters.
If Mitigated
With proper input validation and monitoring, impact would be limited to failed authentication attempts or logged anomalies.
🎯 Exploit Status
Exploitation requires understanding of OAuth flows and ability to craft malicious URLs, but no authentication is needed to attempt injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.13.0
Vendor Advisory: https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-mr6f-h57v-rpj5
Restart Required: No
Instructions:
1. Update package.json to use @auth0/nextjs-auth0 version 4.13.0 or higher. 2. Run npm update @auth0/nextjs-auth0 or yarn upgrade @auth0/nextjs-auth0. 3. Test authentication flows thoroughly after update.
🔧 Temporary Workarounds
Input Validation Middleware
allImplement custom middleware to validate and sanitize the returnTo parameter before it reaches the Auth0 SDK.
URL Whitelisting
allRestrict returnTo URLs to a predefined list of allowed domains and paths.
🧯 If You Can't Patch
- Implement strict input validation for all user-controlled parameters in authentication endpoints
- Monitor authentication logs for unusual parameter patterns or unexpected redirects
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for @auth0/nextjs-auth0 version between 4.9.0 and 4.12.1 inclusive.Check Version:
npm list @auth0/nextjs-auth0 or yarn list @auth0/nextjs-auth0Verify Fix Applied:
Confirm @auth0/nextjs-auth0 version is 4.13.0 or higher in package.json and test authentication flows with various returnTo parameters.📡 Detection & Monitoring
Log Indicators:
- Unusual OAuth parameter combinations
- returnTo URLs with unexpected query parameters
- Authentication failures with malformed URLs
Network Indicators:
- HTTP requests with crafted returnTo parameters containing OAuth injection attempts
SIEM Query:
source="auth_logs" AND (returnTo CONTAINS "&" OR returnTo CONTAINS "?") AND NOT returnTo MATCHES "^/[^?]*$"