CVE-2025-48947
Description
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, `__session` cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be met in order for someone to be affected by the vulnerability: Applications using the NextJS-Auth0 SDK, versions between 4.0.1 to 4.6.0, applications using CDN or edge caching that caches responses with the Set-Cookie header, and if the Cache-Control header is not properly set for sensitive responses. Users should upgrade auth0/nextjs-auth0 to v4.6.1 to receive a patch.
Is your site exposed to CVE-2025-48947?
Run a free security scan — no signup, results in seconds.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2025-48947? +
How do I check if I'm vulnerable to CVE-2025-48947? +
Related Vulnerabilities
IBM Automation Decision Services 23.0.2 allows web pages to be stored locally which can be read by another user on …
A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V4.0). The affected applications stores sensitive information in …
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic …
The Document Library and the Adaptive Media modules in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay …
@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from …
IBM Aspera Console 3.4.0 through 3.4.2 PL9 allows web pages to be stored locally which can be read by another …