Headline
GHSA-mr6f-h57v-rpj5: Improper Validation of Query Parameters in Auth0 Next.js SDK
Description
An input-validation flaw in the returnTo parameter in the Auth0 Next.js SDK could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters
Am I Affected?
You are affected if you meet the following preconditions:
- Applications using the auth0/nextjs-auth0 SDK version prior to 4.13.0
Affected product and versions
Auth0/nextjs-auth0 versions >= 4.9.0 and < 4.13.0
Resolution
Upgrade Auth0/nextjs-auth0 version to v4.13.0
Acknowledgements
Okta would like to thank Joshua Rogers (MegaManSec) for their discovery and responsible disclosure.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-67716
Improper Validation of Query Parameters in Auth0 Next.js SDK
Low severity GitHub Reviewed Published Dec 10, 2025 in auth0/nextjs-auth0 • Updated Dec 10, 2025
Package
npm @auth0/nextjs-auth0 (npm)
Affected versions
>= 4.9.0, < 4.13.0
Description
An input-validation flaw in the returnTo parameter in the Auth0 Next.js SDK could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters
Am I Affected?
You are affected if you meet the following preconditions:
- Applications using the auth0/nextjs-auth0 SDK version prior to 4.13.0
Affected product and versions
Auth0/nextjs-auth0 versions >= 4.9.0 and < 4.13.0
Resolution
Upgrade Auth0/nextjs-auth0 version to v4.13.0
Acknowledgements
Okta would like to thank Joshua Rogers (MegaManSec) for their discovery and responsible disclosure.
References
- GHSA-mr6f-h57v-rpj5
- auth0/nextjs-auth0@35eb321
Published to the GitHub Advisory Database
Dec 10, 2025
Last updated
Dec 10, 2025