Auth0 · Auth0 Next.Js Sdk · CVE-2025-46344
**Name of the Vulnerable Software and Affected Versions**
Auth0 Next.js SDK versions 4.0.1 through 4.5.0
**Description**
The issue arises from the failure to invoke `.setExpirationTime` when generating a JWE token for the session in the Auth0 Next.js SDK. This results in the JWE not containing an internal expiration claim. Consequently, even if the session cookie expires or is cleared, the JWE remains valid.
**Recommendations**
For versions 4.0.1 through 4.5.0, update to version 4.5.1 to resolve the issue.