CVE-2025-67716

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-67716
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67716.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-67716
Aliases
Published
2025-12-11T00:21:27.687Z
Modified
2025-12-11T19:37:33.634142Z
Severity
  • 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Auth0 Next.js SDK has Improper Validation of Query Parameters
Details

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters. This issue is fixed in version 4.13.0.

Database specific 
{
    "cwe_ids": [
        "CWE-184"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67716.json"
}
References

Affected packages

Git / github.com/auth0/nextjs-auth0

Affected ranges

Type
GIT
Repo
https://github.com/auth0/nextjs-auth0
Events
Introduced
0e83495ac6688e759e5ead54d4f27019a4773fbe
Fixed
3abb9b5038b38b73522000e426c38715e318b0de
Database specific 
{
    "versions": [
        {
            "introduced": "4.9.0"
        },
        {
            "fixed": "4.13.0"
        }
    ]
}

Affected versions

v4.*

v4.10.0
v4.11.0
v4.11.1
v4.12.0
v4.12.1
v4.9.0