Session Cookie Vulnerability in Auth0 Next.js SDK for User Authentication
CVE-2025-48947

7.7HIGH

Key Information:

Vendor: Auth0
Status: Nextjs-auth0
Vendor: CVE Published:; 4 June 2025

What is CVE-2025-48947?

The Auth0 Next.js SDK is designed to streamline user authentication in applications built with Next.js. In versions ranging from 4.0.1 to 4.6.0, a significant vulnerability arises from __session cookies set by the auth0.middleware. This issue occurs when these cookies are improperly cached by Content Delivery Networks (CDNs), due to the absence of essential Cache-Control headers. For applications to be at risk, specific conditions must align: utilization of the aforementioned SDK versions, deployment behind a CDN that caches Set-Cookie responses, and negligence in configuring Cache-Control headers on sensitive responses. Users are strongly advised to upgrade to version 4.6.1 to mitigate this risk.

Affected Version(s)

nextjs-auth0 >= 4.0.1, < 4.6.1

References

https://github.com/auth0/nextjs-auth0/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2025
Vulnerability Reserved
May 28, 2025