CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-46344: Auth0 NextJS SDK v4 Missing Session Invalidation

4.9 CVSS

Description

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. This issue has been patched in version 4.5.1.

Classification

CVE ID: CVE-2025-46344

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.9

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

Problem Types

CWE-613: Insufficient Session Expiration

Affected Products

Vendor: auth0

Product: nextjs-auth0

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.16% (probability of being exploited)

EPSS Percentile: 38.14% (scored less or equal to compared to others)

EPSS Date: 2025-05-28 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-46344
https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-pjr6-jx7r-j4r6
https://github.com/auth0/nextjs-auth0/commit/a4f061aed02ffa132feca8adfbd11704df17e1c3
https://github.com/auth0/nextjs-auth0/releases/tag/v4.5.1

Timeline

2025-04-29 21:40:17 UTC
CVE

Auth0 NextJS SDK v4 Missing Session Invalidation