NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies
Overview In Auth0 Next.js SDK versions 4.0.1 to 4.6.0, __session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Am I Affected? You are affected by this vulnerability if you meet the following preconditions: Applications using the NextJS-Auth0 SDK, versions between 4.0.1 to 4.6.0, Applications using CDN or edge caching that caches responses with the Set-Cookie header. If the Cache-Control header is not properly set …