Description
Auth0 NextJS v4.0.1 to v4.5.0 does not invoke .setExpirationTime when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid.
Recommendation
Update the @auth0/nextjs-auth0 package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.0.1, < 4.5.1
- Patched version(s): 4.5.1
References
Related Issues
- NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies - CVE-2025-48947
- Potential DoS when using ContextLines integration - Vulnerability
- sanitize-html Information Exposure vulnerability - CVE-2024-21501
- json-schema-ref-parser Prototype Pollution issue - CVE-2024-29651
- Tags:
- npm
- @auth0/nextjs-auth0
Anything's wrong? Let us know Last updated on April 30, 2025