cvedb.io
CVE-2025-67716
MEDIUM · CVSS 5.7
EPSS exploitation probability: 0%
Published 2025-12-11T01:16:00.890 · Last modified 2026-06-17T09:58:01.363

Summary

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters. This issue is fixed in version 4.13.0.

Affected products

auth0 — nextjs-auth0

Does this affect you?

Add your gear to cvedb and we'll alert you only when auth0 ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.