This vulnerability is a race condition in the Auth0 Next.js SDK’s proxy cache fetcher; concurrent requests that retry a nonce can trigger an improper cache lookup, causing the SDK to retrieve the wrong token result. The flaw is a concurrency error (CWE‑362) combined with misused cache logic (CWE‑863). Although the CVE does not describe a remote code execution, the broken authentication flow can expose or reuse authentication tokens and lead to unauthorized access or data leakage. The integrity of user sessions may be fully compromised if an attacker can obtain a valid token.

The issue exists in Auth0 Next.js SDK versions 4.12.0 through 4.17.1. Applications must be using the SDK together with the proxy handler routes /me/* and /my-org/* with DPoP enabled to be vulnerable. Affected systems are any Next.js web applications that depend on the vulnerable Auth0 SDK. The bug has been addressed in SDK release 4.18.0, so upgrading beyond that version removes the risk.

The CVSS base score is 5.4, reflecting a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, so the probability of exploitation is unclear. The attack vector appears to be local within the application: an attacker can trigger the race condition by issuing simultaneous nonce‑retry requests or by logging in multiple times in quick succession when the proxy handler and DPoP are enabled. Because the flaw requires specific routing and configuration, the exploitability is limited to deployments that match the described pattern but still poses a meaningful risk if such deployments are commonly used.