All the vulnerabilites related to auth0 - nextjs-auth0
cve-2025-46344
Vulnerability from cvelistv5
Published
2025-04-29 20:43
Modified
2025-04-30 13:17
Severity ?
EPSS score ?
Summary
Auth0 NextJS SDK v4 Missing Session Invalidation
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-pjr6-jx7r-j4r6 | x_refsource_CONFIRM | |
| https://github.com/auth0/nextjs-auth0/commit/a4f061aed02ffa132feca8adfbd11704df17e1c3 | x_refsource_MISC | |
| https://github.com/auth0/nextjs-auth0/releases/tag/v4.5.1 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| auth0 | nextjs-auth0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46344",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T13:17:34.099127Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T13:17:43.169Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nextjs-auth0",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.1, \u003c 4.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. This issue has been patched in version 4.5.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T20:43:41.538Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-pjr6-jx7r-j4r6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-pjr6-jx7r-j4r6"
},
{
"name": "https://github.com/auth0/nextjs-auth0/commit/a4f061aed02ffa132feca8adfbd11704df17e1c3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/nextjs-auth0/commit/a4f061aed02ffa132feca8adfbd11704df17e1c3"
},
{
"name": "https://github.com/auth0/nextjs-auth0/releases/tag/v4.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/nextjs-auth0/releases/tag/v4.5.1"
}
],
"source": {
"advisory": "GHSA-pjr6-jx7r-j4r6",
"discovery": "UNKNOWN"
},
"title": "Auth0 NextJS SDK v4 Missing Session Invalidation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46344",
"datePublished": "2025-04-29T20:43:41.538Z",
"dateReserved": "2025-04-22T22:41:54.912Z",
"dateUpdated": "2025-04-30T13:17:43.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-32702
Vulnerability from cvelistv5
Published
2021-06-25 16:25
Modified
2024-08-03 23:25
Severity ?
EPSS score ?
Summary
Reflected XSS from the callback handler's error query parameter
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-954c-jjx6-cxv7 | x_refsource_CONFIRM | |
| https://github.com/auth0/nextjs-auth0/commit/6996e2528ceed98627caa28abafbc09e90163ccf | x_refsource_MISC | |
| https://www.npmjs.com/package/%40auth0/nextjs-auth0 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| auth0 | nextjs-auth0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.131Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-954c-jjx6-cxv7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/nextjs-auth0/commit/6996e2528ceed98627caa28abafbc09e90163ccf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.npmjs.com/package/%40auth0/nextjs-auth0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "nextjs-auth0",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then processed by the callback handler as an error message. You are affected by this vulnerability if you are using `@auth0/nextjs-auth0` version `1.4.1` or lower **unless** you are using custom error handling that does not return the error message in an HTML response. Upgrade to version `1.4.1` to resolve. The fix adds basic HTML escaping to the error message and it should not impact your users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-25T16:25:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-954c-jjx6-cxv7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/nextjs-auth0/commit/6996e2528ceed98627caa28abafbc09e90163ccf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.npmjs.com/package/%40auth0/nextjs-auth0"
}
],
"source": {
"advisory": "GHSA-954c-jjx6-cxv7",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS from the callback handler\u0027s error query parameter",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32702",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS from the callback handler\u0027s error query parameter"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "nextjs-auth0",
"version": {
"version_data": [
{
"version_value": "\u003c 1.4.2"
}
]
}
}
]
},
"vendor_name": "auth0"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then processed by the callback handler as an error message. You are affected by this vulnerability if you are using `@auth0/nextjs-auth0` version `1.4.1` or lower **unless** you are using custom error handling that does not return the error message in an HTML response. Upgrade to version `1.4.1` to resolve. The fix adds basic HTML escaping to the error message and it should not impact your users."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-954c-jjx6-cxv7",
"refsource": "CONFIRM",
"url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-954c-jjx6-cxv7"
},
{
"name": "https://github.com/auth0/nextjs-auth0/commit/6996e2528ceed98627caa28abafbc09e90163ccf",
"refsource": "MISC",
"url": "https://github.com/auth0/nextjs-auth0/commit/6996e2528ceed98627caa28abafbc09e90163ccf"
},
{
"name": "https://www.npmjs.com/package/@auth0/nextjs-auth0",
"refsource": "MISC",
"url": "https://www.npmjs.com/package/@auth0/nextjs-auth0"
}
]
},
"source": {
"advisory": "GHSA-954c-jjx6-cxv7",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32702",
"datePublished": "2021-06-25T16:25:11",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:31.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-43812
Vulnerability from cvelistv5
Published
2021-12-16 18:20
Modified
2024-08-04 04:03
Severity ?
EPSS score ?
Summary
Open redirect in nextjs-auth0
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-2mqv-4j3r-vjvp | x_refsource_CONFIRM | |
| https://github.com/auth0/nextjs-auth0/commit/0bbd9f8a0c93af51f607f28633b5fb18c5e48ad6 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| auth0 | nextjs-auth0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:08.682Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-2mqv-4j3r-vjvp"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/nextjs-auth0/commit/0bbd9f8a0c93af51f607f28633b5fb18c5e48ad6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "nextjs-auth0",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before 1.6.2 do not filter out certain returnTo parameter values from the login url, which expose the application to an open redirect vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-16T18:20:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-2mqv-4j3r-vjvp"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/nextjs-auth0/commit/0bbd9f8a0c93af51f607f28633b5fb18c5e48ad6"
}
],
"source": {
"advisory": "GHSA-2mqv-4j3r-vjvp",
"discovery": "UNKNOWN"
},
"title": "Open redirect in nextjs-auth0",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43812",
"STATE": "PUBLIC",
"TITLE": "Open redirect in nextjs-auth0"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "nextjs-auth0",
"version": {
"version_data": [
{
"version_value": "\u003c 1.6.2"
}
]
}
}
]
},
"vendor_name": "auth0"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before 1.6.2 do not filter out certain returnTo parameter values from the login url, which expose the application to an open redirect vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-2mqv-4j3r-vjvp",
"refsource": "CONFIRM",
"url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-2mqv-4j3r-vjvp"
},
{
"name": "https://github.com/auth0/nextjs-auth0/commit/0bbd9f8a0c93af51f607f28633b5fb18c5e48ad6",
"refsource": "MISC",
"url": "https://github.com/auth0/nextjs-auth0/commit/0bbd9f8a0c93af51f607f28633b5fb18c5e48ad6"
}
]
},
"source": {
"advisory": "GHSA-2mqv-4j3r-vjvp",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43812",
"datePublished": "2021-12-16T18:20:12",
"dateReserved": "2021-11-16T00:00:00",
"dateUpdated": "2024-08-04T04:03:08.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}