CVE-2025-46344: Auth0 NextJS SDK v4 Missing Session Invalidation
(updated )
Overview
Auth0 NextJS v4.0.1 to v4.5.0 does not invoke .setExpirationTime when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid.
Am I Affected?
You are affected if you are using Auth0 NextJS SDK v4.
Fix
Upgrade to v4.5.1.
References
- github.com/advisories/GHSA-pjr6-jx7r-j4r6
- github.com/auth0/nextjs-auth0
- github.com/auth0/nextjs-auth0/commit/a4f061aed02ffa132feca8adfbd11704df17e1c3
- github.com/auth0/nextjs-auth0/releases/tag/v4.5.1
- github.com/auth0/nextjs-auth0/security/advisories/GHSA-pjr6-jx7r-j4r6
- nvd.nist.gov/vuln/detail/CVE-2025-46344
Code Behaviors & Features
Detect and mitigate CVE-2025-46344 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →