JWE Token Validation Issue in Auth0 Next.js SDK
CVE-2025-46344

4.9MEDIUM

Key Information:

Vendor

Auth0

Status
Nextjs-auth0
Vendor
CVE Published:
29 April 2025

What is CVE-2025-46344?

The Auth0 Next.js SDK, used for user authentication in Next.js applications, has a vulnerability in versions from 4.0.1 up to but not including 4.5.1. When generating a JSON Web Encryption (JWE) token for a session, the library fails to set an expiration time. This oversight means that while the session cookie can expire or be cleared, the JWE token can remain valid indefinitely, potentially allowing unauthorized access to user sessions. This issue is resolved in version 4.5.1, where the .setExpirationTime method is properly invoked, enhancing the security of session management.

Affected Version(s)

nextjs-auth0 >= 4.0.1, < 4.5.1

References

https://github.com/auth0/nextjs-auth0/security/advisories...
x_refsource_CONFIRM
https://github.com/auth0/nextjs-auth0/commit/a4f061aed02f...
x_refsource_MISC
https://github.com/auth0/nextjs-auth0/releases/tag/v4.5.1
x_refsource_MISC

CVSS V4

Score:
4.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.