Auth0 Next.js SDK
Moderate fix1 remedy
cpe:2.3:a:auth0:nextjs-auth0:*:*:*:*:node.js:*:*
Moderate fix1 remedy
- >= 4.12.0, <= 4.17.0
Auth0 Next.js SDK Improper Proxy Cache Lookup Vulnerability Allowing DPoP Nonce Retry Issues
Vulnerability
Patched
A vulnerability exists in the Auth0 Next.js SDK, specifically in versions 4.12.0 through 4.17.1. This issue arises when simultaneous requests trigger a nonce retry, leading the proxy cache fetcher to conduct incorrect token request result lookups. Projects using the vulnerable SDK versions along with the proxy handler paths '/me/*' and '/my-org/*' with DPoP enabled are affected.
Impact
Exploitation of this vulnerability can disrupt the proper functioning of DPoP nonce management, potentially leading to incorrect token handling and session updates.
Reproduction
To reproduce this vulnerability, first, ensure that the Auth0 Next.js SDK version is between 4.12.0 and 4.17.1. Then, enable DPoP and use the proxy handler paths '/me/*' or '/my-org/*'. Initiate simultaneous requests that trigger a nonce retry. This will cause the proxy cache fetcher to perform improper lookups for the token request results, demonstrating the vulnerability.
Remediation
Upgrade the Auth0 Next.js SDK to version 4.18.0 or later.
Added: Apr 17, 2026, 9:42 PM
Updated: Apr 17, 2026, 9:42 PM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
1.3exploitability
6.0remediation
7.7relevance
6.1threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.