Auth0 Next.js SDK Improper Request Caching Lookup Vulnerability

A vulnerability exists in the Auth0 Next.js SDK, specifically in versions 4.11.0, 4.11.1, and 4.12.0. When these versions are used with a singleton client instance, simultaneous requests may lead to incorrect lookups in the TokenRequestCache, causing improper handling of request results. This issue arises from the absence of request deduplication, allowing concurrent calls with identical parameters to execute independently and potentially save multiple tokens for the same audience or scope combination.

Impact

This vulnerability can lead to improper token management, where multiple tokens may be cached for the same audience or scope, causing inconsistencies in authentication handling.

Reproduction

To reproduce this vulnerability, use the Auth0 Next.js SDK version 4.11.0, 4.11.1, or 4.12.0 with a singleton client instance. Then, initiate simultaneous requests that include identical parameters. Without the caching mechanism, these requests will be processed independently, resulting in multiple tokens being saved for the same audience or scope, despite them having the same value. The test can be adjusted to verify the presence of all tokens, highlighting the caching issue.

Remediation

Upgrade the Auth0 Next.js SDK to version 4.11.2 or 4.12.1.