CVE-2025-67716

EPSS 0.05%
Veröffentlicht 11.12.2025 00:21:27
Zuletzt bearbeitet 12.12.2025 15:18:13
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters. This issue is fixed in version 4.13.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerauth0

≫

Produkt nextjs-auth0

Version >= 4.9.0, < 4.13.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.142

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.7	0.5	5.2	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

CWE-184 Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-mr6f-h57v-rpj5

https://github.com/auth0/nextjs-auth0/commit/35eb321de3345ccf23e8c0d6f66c9f2f2f57d26c

https://nvd.nist.gov/vuln/detail/CVE-2025-67716

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-67716

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-67716

EUVD