Advisories for Npm/@Auth0/Nextjs-Auth0 package

Overview Auth0 NextJS v4.0.1 to v4.5.0 does not invoke .setExpirationTime when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. Am I Affected? You are affected if you are using Auth0 NextJS SDK v4. Fix Upgrade to v4.5.1.

The Auth0 Next.js does not filter out certain returnTo parameter values from the login url, which expose the application to an open redirect vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

nextjs-auth0 lacks HTML escaping for error messages.