CVE-2025-48947
CVE-2025-48947 is a high-severity vulnerability with a CVSS 4.0 base score of 7.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-525.
Key facts
- Severity: High (CVSS 4.0 base score 7.7)
- EPSS exploit prediction: 0% (28th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-16914
- Weakness: CWE-525
- Published:
- Last modified:
Description
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, `__session` cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be met in order for someone to be affected by the vulnerability: Applications using the NextJS-Auth0 SDK, versions between 4.0.1 to 4.6.0, applications using CDN or edge caching that caches responses with the Set-Cookie header, and if the Cache-Control header is not properly set for sensitive responses. Users should upgrade auth0/nextjs-auth0 to v4.6.1 to receive a patch.
Frequently asked questions
- What is CVE-2025-48947?
- The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, `__session` cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be met in order for someone to be affected by the vulnerability: Applications using the NextJS-Auth0 SDK, versions between 4.0.1 to 4.6.0, applications using CDN or edge caching that caches responses with the Set-Cookie header, and if the Cache-Control header is not properly set for sensitive responses. Users should upgrade auth0/nextjs-auth0 to v4.6.1 to receive a patch.
- How severe is CVE-2025-48947?
- CVE-2025-48947 has a CVSS 4.0 base score of 7.7, rated high severity.
- Is CVE-2025-48947 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (28th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-48947?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-48947 have an EU (EUVD) identifier?
- Yes. CVE-2025-48947 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-16914.
- When was CVE-2025-48947 published?
- CVE-2025-48947 was published on 2025-06-04 and last updated on 2026-06-17.
References
Other CWE-525 vulnerabilities
- CVE-2025-15554 — High (CVSS 7.8): Browser caching of LAPS passwords in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a…
- CVE-2025-36364 — Medium (CVSS 6.2): IBM DevOps Plan 3.0.0 through 3.0.5 allows web page cache to be stored locally which can be read by another user on the…
- CVE-2024-31906 — Medium (CVSS 6.2): IBM Automation Decision Services 23.0.2 allows web pages to be stored locally which can be read by another user on the…
- CVE-2026-41918 — Medium (CVSS 5.7): A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V4.0). The affected…
- CVE-2026-24437 — Medium (CVSS 5.5): Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) serve sensitive administrative content…
- CVE-2025-62276 — Medium (CVSS 5.5): The Document Library and the Adaptive Media modules in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported…