PT-2025-18209 · Auth0 · Auth0 Next.Js Sdk
Kevinroh-Oktapublished
·
Published
2025-04-29
·
Updated
2025-04-30
·
CVE-2025-46344
CVSS v4.0
4.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U |
Name of the Vulnerable Software and Affected Versions
Auth0 Next.js SDK versions 4.0.1 through 4.5.0
Description
The issue arises from the failure to invoke
.setExpirationTime when generating a JWE token for the session in the Auth0 Next.js SDK. This results in the JWE not containing an internal expiration claim. Consequently, even if the session cookie expires or is cleared, the JWE remains valid.Recommendations
For versions 4.0.1 through 4.5.0, update to version 4.5.1 to resolve the issue.
Exploit
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Auth0 Next.Js Sdk