CVE-2025-48947

| EUVD-2025-16914 HIGH
2025-06-04 [email protected] GHSA-f3fg-mf2q-fj3f
7.7
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 17:29 euvd
EUVD-2025-16914
Analysis Generated
Mar 14, 2026 - 17:29 vuln.today
CVE Published
Jun 04, 2025 - 21:15 nvd
HIGH 7.7

Tags

Nextjs Node.js Information Disclosure Authentication Bypass

Description

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, `__session` cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be met in order for someone to be affected by the vulnerability: Applications using the NextJS-Auth0 SDK, versions between 4.0.1 to 4.6.0, applications using CDN or edge caching that caches responses with the Set-Cookie header, and if the Cache-Control header is not properly set for sensitive responses. Users should upgrade auth0/nextjs-auth0 to v4.6.1 to receive a patch.

Analysis

A security vulnerability in Next.js applications. In Auth0 Next.js SDK (CVSS 7.7). High severity vulnerability requiring prompt remediation.

Technical Context

Vulnerability type not specified by vendor. CVSS 7.7 indicates high severity. Affects Next.js applications. In Auth0 Next.js SDK.

Affected Products

['Next.js applications. In Auth0 Next.js SDK']

Remediation

Monitor vendor channels for patch availability.

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Share

CVE-2025-48947 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy