Auth0 Next.js SDK
Moderate fix1 remedy
cpe:2.3:a:auth0:nextjs-auth0:*:*:*:*:node.js:*:*
Moderate fix1 remedy
- >= 4.9.0, < 4.13.0
Auth0 Next.js SDK Input-Validation Vulnerability Allowing OAuth Parameter Injection
Vulnerability
Patched
A vulnerability exists in the Auth0 Next.js SDK, specifically in versions 4.9.0 prior to 4.13.0. The issue arises from improper validation of the returnTo parameter, which could enable attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Exploitation of this flaw may lead to the issuance of tokens with unintended parameters.
Impact
Exploitation of this vulnerability could result in the injection of malicious OAuth parameters, potentially allowing for unauthorized actions or access within the application.
Reproduction
The vulnerability can be reproduced by using the Auth0 Next.js SDK version prior to 4.13.0 and crafting a returnTo parameter that includes malicious OAuth query parameters. This can be done by manipulating the returnTo value to inject additional query parameters that could be interpreted by the OAuth process.
Remediation
Users are advised to upgrade the Auth0 Next.js SDK to version 4.13.0 or later.
Added: Dec 11, 2025, 1:19 AM
Updated: Dec 11, 2025, 1:19 AM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
1.3exploitability
6.2remediation
7.7relevance
1.3threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.