@auth0/nextjs-auth0

npm6 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting @auth0/nextjs-auth0page 1 of 1

CVE-2021-32702HIGHCVSS 8.0EG 8.0✓ Fixed in 1.4.2
2021-06-25
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in t…
CVE-2021-43812MEDIUMCVSS 6.4EG 6.4✓ Fixed in 1.6.2
2021-12-16
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before 1.6.2 do not filter out certain returnTo parameter values from the login url, which expose the application to an open redirect…
CVE-2025-46344MEDIUMCVSS 4.9EG 0.0✓ Fixed in 4.5.1
2025-04-29
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, …
CVE-2025-48947HIGHCVSS 7.7EG 0.0✓ Fixed in 4.6.1
2025-06-04
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, `__session` cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Cont…
CVE-2025-67716MEDIUMCVSS 5.7EG 5.7✓ Fixed in 4.13.0
2025-12-11
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAu…
CVE-2026-40155MEDIUMCVSS 5.4EG 5.4✓ Fixed in 4.18.0
2026-04-17
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper look…

Check whether @auth0/nextjs-auth0 is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @auth0/nextjs-auth0 CVEs against the assets you own.

Start Free Scan →