Description

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, `__session` cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be met in order for someone to be affected by the vulnerability: Applications using the NextJS-Auth0 SDK, versions between 4.0.1 to 4.6.0, applications using CDN or edge caching that caches responses with the Set-Cookie header, and if the Cache-Control header is not properly set for sensitive responses. Users should upgrade auth0/nextjs-auth0 to v4.6.1 to receive a patch.

INFO

Published Date :

2025-06-04T20:14:44.369Z

Last Modified :

2025-06-04T20:50:02.568Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-48947 vulnerability.

Vendors Products
Auth0
  • Nextjs-auth0
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-48947.

URL Resource
https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-f3fg-mf2q-fj3f cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability