GHSA-XQ8M-7C5P-C2R6
Vulnerability from github – Published: 2026-04-21 15:21 – Updated: 2026-04-21 15:21
VLAI?
Summary
Auth0 Next.js SDK has Improper Proxy Cache Lookup
Details
Description
In affected versions of the Next.js SDK, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results.
Which Projects are Affected?
Users are affected if they meet all of the following preconditions: - Applications using the auth0/nextjs-auth0 SDK, versions 4.12.0 to 4.17.0, and - Applications using the proxy handler /me/ and /my-org/ with DPoP enabled.
Affected product and versions
Auth0/nextjs-auth0 v4.12.0 to 4.17.0
Resolution
Upgrade Auth0/nextjs-auth0 version to v4.18.0 or greater
Acknowledgements
Okta would like to thank Reynaldo Immanuel for their discovery and responsible disclosure.
Severity ?
5.4 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.17.0"
},
"package": {
"ecosystem": "npm",
"name": "@auth0/nextjs-auth0"
},
"ranges": [
{
"events": [
{
"introduced": "4.12.0"
},
{
"fixed": "4.18.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40155"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-21T15:21:46Z",
"nvd_published_at": "2026-04-17T21:16:33Z",
"severity": "MODERATE"
},
"details": "### Description\nIn affected versions of the Next.js SDK, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results.\n\n### Which Projects are Affected?\nUsers are affected if they meet all of the following preconditions:\n- Applications using the auth0/nextjs-auth0 SDK, versions 4.12.0 to 4.17.0, and\n- Applications using the proxy handler /me/* and /my-org/* with DPoP enabled.\n\n\n### Affected product and versions\nAuth0/nextjs-auth0 v4.12.0 to 4.17.0\n\n### Resolution\nUpgrade Auth0/nextjs-auth0 version to v4.18.0 or greater\n\n### Acknowledgements\nOkta would like to thank Reynaldo Immanuel for their discovery and responsible disclosure.",
"id": "GHSA-xq8m-7c5p-c2r6",
"modified": "2026-04-21T15:21:46Z",
"published": "2026-04-21T15:21:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-xq8m-7c5p-c2r6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40155"
},
{
"type": "WEB",
"url": "https://github.com/auth0/nextjs-auth0/commit/98c36dc306970c2230ea1a32efef431d29b99978"
},
{
"type": "PACKAGE",
"url": "https://github.com/auth0/nextjs-auth0"
},
{
"type": "WEB",
"url": "https://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Auth0 Next.js SDK has Improper Proxy Cache Lookup"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…