PT-2025-50563 · Auth0 · Auth0 Next.Js Sdk
Published
2025-12-11
·
Updated
2025-12-11
·
CVE-2025-67716
CVSS v3.1
5.7
Medium
| Vector | AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Auth0 Next.js SDK versions 4.9.0 through 4.12.1
Description
The Auth0 Next.js SDK has an input-validation issue in the
returnTo parameter. This flaw allows attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation could lead to tokens being issued with unintended parameters.Recommendations
Update to version 4.13.0 or later.
Exploit
Fix
Incomplete List of Disallowed Inputs
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Auth0 Next.Js Sdk