Headline
GHSA-f3fg-mf2q-fj3f: NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies
Overview In Auth0 Next.js SDK versions 4.0.1 to 4.6.0, __session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers.
Am I Affected? You are affected by this vulnerability if you meet the following preconditions:
- Applications using the NextJS-Auth0 SDK, versions between 4.0.1 to 4.6.0,
- Applications using CDN or edge caching that caches responses with the Set-Cookie header.
- If the Cache-Control header is not properly set for sensitive responses.
Fix Upgrade auth0/nextjs-auth0 to v4.6.1.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-48947
NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies
High severity GitHub Reviewed Published Jun 4, 2025 in auth0/nextjs-auth0 • Updated Jun 4, 2025
Package
npm @auth0/nextjs-auth0 (npm)
Affected versions
>= 4.0.1, <= 4.6.0
Overview
In Auth0 Next.js SDK versions 4.0.1 to 4.6.0, __session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers.
Am I Affected?
You are affected by this vulnerability if you meet the following preconditions:
- Applications using the NextJS-Auth0 SDK, versions between 4.0.1 to 4.6.0,
- Applications using CDN or edge caching that caches responses with the Set-Cookie header.
- If the Cache-Control header is not properly set for sensitive responses.
Fix
Upgrade auth0/nextjs-auth0 to v4.6.1.
References
- GHSA-f3fg-mf2q-fj3f
- auth0/nextjs-auth0@12a62ca
Published to the GitHub Advisory Database
Jun 4, 2025