CVE-2025-67490 MEDIUM

CVE-2025-67490: Auth0 Next.js SDK has Improper Request Caching Lookup

Vendor Auth0

Product nextjs-auth0

Weakness CWE-863 · Incorrect authorization

Published December 10, 2025

Last update December 11, 2025

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1.

Key dates

02Disclosure timeline

December 10, 2025 CVE published

December 11, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-67490 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

Identifiers

CVE CVE-2025-67490

CWE CWE-863

CVSS 5.4 / MEDIUM

Affected versions

Vendor Auth0

Product nextjs-auth0

Affected >= 4.12.0, < 4.12.1

Vendor Auth0

Product nextjs-auth0

Affected >= 4.11.0, < 4.11.2

CVE-2025-67490: Auth0 Next.js SDK has Improper Request Caching Lookup

01Description

02Disclosure timeline

03References

04Related CVE