Platform
nodejs
Component
@auth0/nextjs-auth0
Fixed in
4.12.1
4.18.0
CVE-2026-40155 affects the Auth0 Next.js SDK, a library simplifying user authentication within Next.js applications. A vulnerability exists where simultaneous requests with nonce retries can trigger incorrect token request result lookups within the proxy cache fetcher. This impacts projects utilizing the vulnerable versions (4.12.0 through 4.17.1) alongside the proxy handler /me/* and /my-org/* with DPoP enabled. A fix is available in version 4.18.0.
CVE-2026-40155 affects versions 4.12.0 to 4.17.0 of the @auth0/nextjs-auth0 SDK. It occurs when multiple simultaneous requests triggering a nonce retry can lead the proxy cache fetcher to perform improper lookups for token request results. This could potentially allow an attacker, under specific conditions, to intercept or manipulate the authentication process, potentially compromising application security. The vulnerability is conditional on using the proxy handler /me/* and /my-org/* with DPoP enabled. Updating to version 4.18.0 or higher is crucial to mitigate this risk.
Exploitation of this vulnerability requires specific conditions: the use of affected SDK versions, proxy configuration with /me/* and /my-org/*, and DPoP enabled. An attacker would need to orchestrate multiple simultaneous requests triggering nonce retries to exploit the flaw in the proxy cache fetcher. The complexity of this exploitation limits the overall risk, but the possibility of token manipulation warrants immediate updating.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The recommended solution is to update to version 4.18.0 or higher of the @auth0/nextjs-auth0 SDK. This version includes a fix that addresses the proxy cache fetcher logic, preventing improper lookups and mitigating the vulnerability. If immediate updating is not possible, carefully review your proxy and DPoP configuration to identify potential weaknesses. Monitoring application logs for unusual patterns related to token requests can also help detect potential exploitation attempts. Thorough testing after any configuration changes or SDK updates is recommended.
Update the Auth0 Next.js SDK to version 4.18.0 or greater to mitigate the risk of an improper proxy cache lookup. Ensure your project does not use the vulnerable combination of versions and the proxy handler configuration /me/* and /my-org/* with DPoP enabled.
Vulnerability analysis and critical alerts directly to your inbox.
A nonce is a unique, one-time-use number used to prevent replay attacks in authentication protocols.
DPoP (Proof of Possession) is a security mechanism that allows a client to prove possession of a private key without revealing the key itself.
It's a component that caches token request results to improve performance. The vulnerability lies in how this component handles nonce retries.
You can verify the SDK version by running npm list @auth0/nextjs-auth0 or yarn list @auth0/nextjs-auth0 in your project.
If you can't update immediately, review your proxy and DPoP configuration, monitor logs, and consider implementing additional security measures, such as rate limiting requests.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.