CVE-2025-67490
BaseFortify
Publication date: 2025-12-10
Last updated on: 2026-03-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| auth0 | nextjs-auth0 | 4.11.0 |
| auth0 | nextjs-auth0 | 4.12.0 |
| auth0 | nextjs-auth0 | 4.11.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Auth0 Next.js SDK versions 4.11.0 through 4.11.2 and 4.12.0, where simultaneous requests on the same client may cause improper lookups in the TokenRequestCache for the request results. This means that when multiple requests happen at the same time, the SDK might return incorrect token data due to cache mishandling.
How can this vulnerability impact me? :
The impact of this vulnerability is that it can lead to incorrect token data being returned during simultaneous requests, potentially causing authentication errors or unauthorized access scenarios. According to the CVSS score, it has a high impact on confidentiality and a low impact on integrity, with no impact on availability.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Auth0 Next.js SDK to version 4.11.2 or later, or 4.12.1 or later, as these versions contain the fix for the improper TokenRequestCache lookups issue.