QwikSec

Security Database

CVE

CWE

Training

CVE-2025-46344

Published: Apr 29, 2025

Modified: Apr 30, 2025

PUBLISHED

Description

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. This issue has been patched in version 4.5.1.

Vendor	Product	Versions
auth0	nextjs-auth0	affected `>= 4.0.1, < 4.5.1`

Weaknesses (CWE)

References

https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-pjr6-jx7r-j4r6

x_refsource_CONFIRM

https://github.com/auth0/nextjs-auth0/commit/a4f061aed02ffa132feca8adfbd11704df17e1c3

x_refsource_MISC

https://github.com/auth0/nextjs-auth0/releases/tag/v4.5.1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.