CVE-2025-48947: NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies

June 4, 2025

Overview In Auth0 Next.js SDK versions 4.0.1 to 4.6.0, __session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers.

Am I Affected? You are affected by this vulnerability if you meet the following preconditions:

Applications using the NextJS-Auth0 SDK, versions between 4.0.1 to 4.6.0,
Applications using CDN or edge caching that caches responses with the Set-Cookie header.
If the Cache-Control header is not properly set for sensitive responses.

Fix Upgrade auth0/nextjs-auth0 to v4.6.1.

References

github.com/advisories/GHSA-f3fg-mf2q-fj3f
github.com/auth0/nextjs-auth0
github.com/auth0/nextjs-auth0/commit/12a62ca596db3b0827b39a4b865b882423e7cb1e
github.com/auth0/nextjs-auth0/security/advisories/GHSA-f3fg-mf2q-fj3f
nvd.nist.gov/vuln/detail/CVE-2025-48947

Code Behaviors & Features

Detect and mitigate CVE-2025-48947 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →