Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if their project uses both the vulnerable versions and the proxy handler /me/* and /my-org/* with DPoP enabled. This issue has been fixed in version 4.18.0.
AnalysisAI
Authentication bypass in Auth0 Next.js SDK versions 4.12.0 through 4.17.1 allows authenticated users with UI interaction to access sensitive endpoints through improper proxy cache lookups during concurrent nonce retry operations. The vulnerability specifically affects deployments using the proxy handler with DPoP (Demonstration of Proof-of-Possession) enabled, potentially exposing confidential user information via /me/* and /my-org/* endpoints. Vendor-released patch: version 4.18.0.
Technical ContextAI
The Auth0 Next.js SDK provides authentication abstraction for Next.js applications, interfacing with Auth0's identity platform. The vulnerability exists in the proxy cache fetcher component responsible for handling token request results and nonce management during the OAuth/OIDC flow. When simultaneous requests trigger nonce retries (a mechanism to refresh or revalidate authentication tokens), the cache lookup mechanism performs improper key matching or state isolation, causing one user's cached authentication context to be misattributed to another concurrent request. The DPoP (Demonstration of Proof-of-Possession) mechanism, an OAuth extension for binding tokens to specific client instances, amplifies this issue by adding an additional layer of request-specific binding that the cache fetcher fails to properly respect during concurrent access. CWE-863 (Incorrect Authorization) indicates the root cause is flawed authorization decision logic, specifically the failure to properly isolate or validate session/user context during cache operations.
RemediationAI
Immediately upgrade to Auth0 Next.js SDK version 4.18.0 or later, which includes the corrected proxy cache fetcher logic that properly isolates concurrent requests and respects DPoP token binding. The fix is available at https://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0. For organizations unable to upgrade immediately, disable the DPoP feature in Auth0 configuration (if business logic permits) or restrict concurrent session access via load balancer/reverse proxy rate limiting on /me/* and /my-org/* endpoints to reduce collision probability; however, these workarounds do not address the root cache isolation defect and should be considered temporary only. The fix commit 98c36dc306970c2230ea1a32efef431d29b99978 is available for review and contains specific changes to cache key generation and user context isolation during nonce retry operations.
More in Nextjs Auth0
View allThe Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Rated medium severity (
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Rated medium severity (
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23537
GHSA-xq8m-7c5p-c2r6