Miggo Logo
Miggo Vulnerability Database
CVE-2025-48947

CVE-2025-48947:
NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies

7.7

CVSS Score
4.0

Basic Information

CVE ID
CVE-2025-48947
GHSA ID
GHSA-f3fg-mf2q-fj3f
EPSS Score
0.21318%
CWE
CWE-525
Published
6/4/2025
Updated
6/4/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Package NameEcosystemVulnerable VersionsFirst Patched Version
@auth0/nextjs-auth0npm>= 4.0.1, <= 4.6.04.6.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CVE-2025-48947 / GHSA-f3fg-mf2q-fj3f) in the auth0/nextjs-auth0 SDK (versions 4.0.1 to 4.6.0) stems from the potential for CDN caching of HTTP responses that set session cookies. This is due to the absence of appropriate Cache-Control headers on these sensitive responses. The commit 12a62ca596db3b0827b39a4b865b882423e7cb1e addresses this by introducing a utility function addCacheControlHeadersForSession (in src/server/cookies.ts) and integrating it into several methods of the AuthClient class (in src/server/auth-client.ts).

The AuthClient class is central to handling authentication and session management operations. The methods handleAuthRouter (specifically its login path), handleLogout, handleCallback, handleMe, and handleAccessToken are directly involved in processes that create, modify, or utilize session cookies, or return session-related data. In the vulnerable versions, these methods generated HTTP responses (e.g., setting cookies, returning user data, redirecting after logout) without the necessary Cache-Control directives (like private, no-cache, no-store, must-revalidate, max-age=0). This omission meant that if a CDN or other shared cache was configured to cache responses even with Set-Cookie headers, these sensitive responses could be stored and inadvertently served to other users, leading to session hijacking or information disclosure.

The patch explicitly adds calls to addCacheControlHeadersForSession(res) within these identified methods. This ensures that any response they generate which pertains to session state is correctly marked to prevent caching by shared caches. Therefore, these methods, in their pre-patch state, are the vulnerable functions as they were responsible for emitting responses that could lead to the caching of session cookies. During exploitation, requests to endpoints managed by these functions would result in responses that a misconfigured CDN could cache, triggering the vulnerability. These function names would appear in a runtime profile or stack trace when such vulnerable operations are performed.

Vulnerable functions

AuthClient.handleAuthRouter
src/server/auth-client.ts
This method handles various authentication routes, including login. In the vulnerable versions, when processing a login and setting a session cookie, it did not include appropriate Cache-Control headers, making the response with the session cookie cacheable by CDNs.
AuthClient.handleLogout
src/server/auth-client.ts
This method handles user logout, which involves deleting session cookies. The response, typically a redirect, did not have proper Cache-Control headers in vulnerable versions, potentially allowing caching of a response that might indicate a logged-out state or affect cookie deletion at the CDN level.
AuthClient.handleCallback
src/server/auth-client.ts
This method processes the callback from the identity provider after authentication and sets the user's session. In vulnerable versions, the response that established the session via a `Set-Cookie` header did not include Cache-Control headers, making it susceptible to CDN caching.
AuthClient.handleMe
src/server/auth-client.ts
This method provides an endpoint to fetch the current user's session information. In vulnerable versions, the JSON response containing potentially sensitive user data (derived from the session) was served without Cache-Control headers, allowing it to be cached by CDNs if session cookies were also present or if the CDN was misconfigured.
AuthClient.handleAccessToken
src/server/auth-client.ts
This method handles requests for access tokens, potentially refreshing them and updating the session. If the session was updated (e.g., with a new token set, implying a `Set-Cookie` might be involved or sensitive data returned), the response did not have appropriate Cache-Control headers in vulnerable versions.

WAF Protection Rules

WAF Rule

**Ov*rvi*w** In *ut** N*xt.js S*K v*rsions *.*.* to *.*.*, __s*ssion *ooki*s s*t *y *ut**.mi**l*w*r* m*y ** ****** *y **Ns *u* to missin* *****-*ontrol *****rs. ***m I *****t**?** You *r* *****t** *y t*is vuln*r**ility i* you m**t t** *ollowin* pr**

Reasoning

T** vuln*r**ility (*V*-****-***** / **S*-****-m**q-*j**) in t** `*ut**/n*xtjs-*ut**` S*K (v*rsions *.*.* to *.*.*) st*ms *rom t** pot*nti*l *or **N ****in* o* *TTP r*spons*s t**t s*t s*ssion *ooki*s. T*is is *u* to t** **s*n** o* *ppropri*t* `*****-*