Primary

Context

Auth0 Next.js SDK CDN Caching Vulnerability Allowing Session Cookie Exposure

Vulnerability

Patched

A vulnerability exists in Auth0 Next.js SDK versions 4.0.1 through 4.6.0, where `__session` cookies set by auth0.middleware may be cached by CDNs. This issue arises from the absence of Cache-Control headers, allowing sensitive cookies to be stored in cached responses. To be affected, applications must use a vulnerable version of the Next.js Auth0 SDK, employ CDN or edge caching that stores responses with the Set-Cookie header, and fail to properly configure the Cache-Control header for sensitive responses.

Impact

Exploitation of this vulnerability can lead to unauthorized access to session cookies, potentially allowing for session hijacking or impersonation of users.

Remediation

Users should upgrade to Auth0 Next.js SDK version 4.6.1, which addresses this vulnerability.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

6.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

6.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Auth0 Next.js SDK CDN Caching Vulnerability Allowing Session Cookie Exposure

Vulnerability

Impact

Remediation

Affected Products

Auth0 Next.js SDK

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating