Advisories for Npm/@Auth0/Nextjs-Auth0 package

2025

NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies

Overview In Auth0 Next.js SDK versions 4.0.1 to 4.6.0, __session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Am I Affected? You are affected by this vulnerability if you meet the following preconditions: Applications using the NextJS-Auth0 SDK, versions between 4.0.1 to 4.6.0, Applications using CDN or edge caching that caches responses with the Set-Cookie header. If the Cache-Control header is not properly set …

Auth0 NextJS SDK v4 Missing Session Invalidation

Overview Auth0 NextJS v4.0.1 to v4.5.0 does not invoke .setExpirationTime when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. Am I Affected? You are affected if you are using Auth0 NextJS SDK v4. Fix Upgrade to v4.5.1.

2021