Listen to this Post
The vulnerability arises from a race condition in the proxy cache fetcher when handling multiple simultaneous authentication requests.
1. The Auth0 Next.js SDK uses a proxy handler for endpoints like `/me/` and /my-org/.
2. DPoP (Demonstrating Proof-of-Possession) is enabled for these routes.
3. Each request includes a unique nonce to prevent replay attacks.
4. Under normal operation, the nonce is validated, and a token request is made to Auth0.
5. The result of the token request is stored in a cache to avoid repeated calls.
6. When two or more requests arrive nearly simultaneously, they may share the same nonce.
7. The first request triggers a token fetch and begins caching the result.
8. The second request, seeing the nonce as still pending, initiates a retry mechanism.
9. The retry logic incorrectly bypasses the cache lookup for the token result.
10. Instead of waiting for the first request’s cached result, the second request makes a new token request.
11. Both requests then proceed independently, each obtaining a potentially different token.
12. Due to the race, the proxy cache fetcher returns the result of the second request to both callers.
13. This results in one user receiving the token intended for another user.
14. The improper lookup violates the expected isolation between concurrent authentication flows.
15. An attacker can trigger the race by sending two authenticated requests in quick succession.
16. The attack requires the use of the vulnerable proxy handler with DPoP enabled.
17. Versions 4.12.0 through 4.17.0 are affected.
- The flaw is fixed in version 4.18.0 by improving the cache lookup logic.
- The patch ensures that retried requests correctly wait for and use the cached token.
- This eliminates the race condition and prevents token misassignment.
DailyCVE Form:
Platform: Auth0 Next.js
Version: 4.12.0-4.17.0
Vulnerability: Improper Cache Lookup
Severity: Moderate
date: Apr 17 2026
Prediction: Apr 21 2026
Analytics under heading What Undercode Say:
Check installed version of @auth0/nextjs-auth0
npm list @auth0/nextjs-auth0
Verify if vulnerable version range is used
npm view @auth0/nextjs-auth0 versions | grep -E "4.(1[2-7].)"
Simulate concurrent requests to trigger race condition
for i in {1..10}; do curl -X GET "https://yourapp.com/api/auth/me" -H "Authorization: Bearer $TOKEN" & done
Monitor proxy cache behavior (requires debug logging enabled)
export DEBUG=auth0:nextjs:proxy-cache
Patch to fixed version
npm install @auth0/[email protected]
Exploit:
An attacker sends two simultaneous authenticated requests to a vulnerable endpoint (e.g., /me/profile). Both requests carry the same DPoP nonce. The race condition causes the proxy cache to return the token from the second request to both sessions, allowing the attacker to impersonate the victim.
Protection from this CVE:
Upgrade to version 4.18.0 or later immediately. If upgrade is not possible, disable DPoP for the proxy handlers (/me/, /my-org/) as a temporary workaround.
Impact:
High – successful exploitation leads to session hijacking and unauthorized access to another user’s protected resources and personal data.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

