Vulnerability in Auth0 Nextjs-auth0

CVE-2025-46344

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result…

EPSS: 0.003 (48.6th percentile) — read the EPSS interpretation.

Affected products

Auth0 Nextjs-auth0 — versions >= 4.0.1, < 4.5.1

Weakness classification (CWE)

CWE-613 — Insufficient Session Expiration

References

https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-pjr6-jx7r-j4r6 (x_refsource_CONFIRM)
https://github.com/auth0/nextjs-auth0/commit/a4f061aed02ffa132feca8adfbd11704df17e1c3 (x_refsource_MISC)
https://github.com/auth0/nextjs-auth0/releases/tag/v4.5.1 (x_refsource_MISC)