Ddos 
A serious vulnerability has been uncovered in the widely-used Auth0 Next.js SDK—a library that helps developers implement authentication in their Next.js apps. Tracked as CVE-2025-48947 and rated CVSS 7.7, the flaw could cause session cookies to be cached by CDNs, potentially exposing sensitive authentication tokens to unintended users.
“In Auth0 Next.js SDK versions 4.0.1 to 4.6.0, __session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers,” the advisory explains.
With over 286,000 weekly downloads, the impact of this vulnerability could ripple through a large portion of the Next.js developer ecosystem.
You’re likely affected if all three of the following conditions apply:
- You’re using the Next.js Auth0 SDK between versions 4.0.1 and 4.6.0.
- Your application is served through a CDN or edge network that caches Set-Cookie headers.
- Your response headers are missing proper Cache-Control settings, which would normally prevent sensitive cookie caching.
This issue could allow cached session cookies to be mistakenly served to multiple users under certain conditions, violating session integrity and potentially allowing unauthorized access.
The solution is to upgrade to version 4.6.1 of @auth0/nextjs-auth0 immediately.
Related Posts:
- Auth0 authentication bypass flaws put 2,000 enterprises at risks
- Next.js Vulnerability CVE-2024-46982: Cache Poisoning Exploit Threatens Deployments
- CVE-2024-51479: Next.js Authorization Bypass Vulnerability Affects Millions of Developers
- Urgent: Patch Your Next.js for Authorization Bypass (CVE-2025-29927)
- Next.js Patches Denial-of-Service Vulnerability (CVE-2024-56332) in Server Actions
Donate