CVE-2025-67716

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters. This issue is fixed in version 4.13.0.

CVSS v3 5.7 MEDIUM

5.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.5 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/auth0/nextjs-auth0/commit/35eb321de3345ccf23e8c0d6f66c9f2f2f57d26c
https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-mr6f-h57v-rpj5

Configurations

No configuration.

History

11 Dec 2025, 01:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-11 01:16

Updated : 2025-12-12 15:18

NVD link : CVE-2025-67716

Mitre link : CVE-2025-67716

CVE.ORG link : CVE-2025-67716

JSON object : View

Products Affected

No product.

CWE

CWE-184

Incomplete List of Disallowed Inputs

5.7 /10