CVE-2025-67716 MEDIUM

CVE-2025-67716: Auth0 Next.js SDK has Improper Validation of Query Parameters

Vendor Auth0
Product nextjs-auth0
Weakness CWE-184
Published December 11, 2025
Last update December 11, 2025

CVSS base score

5.7/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters. This issue is fixed in version 4.13.0.

Key dates

02Disclosure timeline

December 11, 2025 CVE published
December 11, 2025 Record updated