CVE-2025-48947

Name of the Vulnerable Software and Affected Versions Auth0 Next.js SDK versions 4.0.1 through 4.6.0

Description The issue concerns the caching of session cookies set by auth0.middleware in CDN environments due to missing Cache-Control headers. Three preconditions must be met for the vulnerability to be exploited: the application must use the NextJS-Auth0 SDK, versions between 4.0.1 to 4.6.0, use CDN or edge caching that caches responses with the Set-Cookie header, and the Cache-Control header must not be properly set for sensitive responses.

Recommendations For Auth0 Next.js SDK versions 4.0.1 through 4.6.0, upgrade auth0/nextjs-auth0 to v4.6.1 to receive a patch. As a temporary workaround, consider ensuring the Cache-Control header is properly set for sensitive responses to minimize the risk of exploitation.