CVE-2025-67490 is an authorization vulnerability classified under CWE-863 found in the Auth0 Next.js SDK (nextjs-auth0), a widely used library for implementing user authentication in Next.js web applications. The issue affects versions 4.11.0 through 4.11.2 and 4.12.0, where simultaneous requests from the same client can cause improper lookups in the TokenRequestCache. This cache is responsible for storing token request results, and the flaw allows one request to potentially access token data intended for another request. This improper authorization can lead to exposure of sensitive authentication tokens, compromising user confidentiality. The vulnerability requires an attacker to have network access and low privileges, and user interaction is necessary, which somewhat limits exploitability. The integrity impact is low since the flaw primarily leaks data rather than allowing modification, and availability is not affected. The vulnerability has a CVSS 3.1 base score of 5.4, reflecting a medium severity level. The issue was publicly disclosed on December 10, 2025, and fixed in versions 4.11.2 and 4.12.1 of the SDK. No known exploits are currently reported in the wild. Organizations using the affected versions should upgrade promptly to mitigate the risk of unauthorized token access and potential downstream attacks leveraging leaked credentials.

For European organizations, this vulnerability poses a significant risk to the confidentiality of user authentication tokens in Next.js applications using the affected Auth0 SDK versions. Exposure of tokens can lead to unauthorized access to user accounts and services, potentially resulting in data breaches, privacy violations, and compliance issues under regulations like GDPR. While the vulnerability does not directly affect system integrity or availability, the unauthorized access enabled by token leakage can facilitate further attacks such as privilege escalation or lateral movement within networks. Organizations in sectors with high reliance on web applications for customer or employee authentication—such as finance, healthcare, and e-commerce—are particularly at risk. The medium severity rating indicates a moderate but actionable threat, especially in environments where multiple simultaneous authentication requests are common. Failure to patch could undermine trust in authentication mechanisms and lead to regulatory penalties if personal data is compromised.

The primary mitigation is to upgrade the Auth0 Next.js SDK to versions 4.11.2 or 4.12.1, where the issue has been fixed. Organizations should audit their applications to identify usage of affected versions and prioritize patching. Additionally, developers should implement strict session management and token validation to detect and prevent token misuse. Employing rate limiting and monitoring for unusual authentication request patterns can help identify exploitation attempts. Where immediate upgrade is not feasible, isolating authentication requests or serializing token requests to avoid simultaneous cache lookups may reduce risk. Security teams should also review logs for anomalies related to token issuance and access. Finally, educating developers on secure use of authentication libraries and maintaining an up-to-date dependency management process will help prevent similar vulnerabilities.