CVE-2025-67716: Improper Validation of Query Parameters in Auth0 Next.js SDK

December 10, 2025 (updated December 11, 2025)

An input-validation flaw in the returnTo parameter in the Auth0 Next.js SDK could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters

References

github.com/advisories/GHSA-mr6f-h57v-rpj5
github.com/auth0/nextjs-auth0
github.com/auth0/nextjs-auth0/commit/35eb321de3345ccf23e8c0d6f66c9f2f2f57d26c
github.com/auth0/nextjs-auth0/security/advisories/GHSA-mr6f-h57v-rpj5
nvd.nist.gov/vuln/detail/CVE-2025-67716

Code Behaviors & Features

Detect and mitigate CVE-2025-67716 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →