Auth0 Next.js SDK
Moderate fix1 remedy
cpe:2.3:a:auth0:nextjs-auth0:*:*:*:*:node.js:*:*
Moderate fix1 remedy
- >= 4.0.1, < 4.5.1
Auth0 Next.js SDK JWE Token Expiration Vulnerability
Vulnerability
Patched
A vulnerability exists in the Auth0 Next.js SDK, specifically in versions 4.0.1 through 4.5.0. The issue arises because the SDK does not call '.setExpirationTime' when creating a JWE token for the session. Consequently, the JWE lacks an internal expiration claim. While the session cookie may expire or be deleted, the JWE remains valid, potentially allowing for unauthorized session persistence.
Impact
Exploitation of this vulnerability allows for JWE tokens to remain valid even after associated session cookies have expired or been cleared, leading to unauthorized access.
Reproduction
To reproduce this vulnerability, use Auth0 Next.js SDK version 4.0.1 to 4.5.0. Create a session that generates a JWE token. After the session cookie expires or is cleared, the JWE token can still be used, demonstrating that the token was not properly invalidated.
Remediation
Upgrade to Auth0 Next.js SDK version 4.5.1 or later.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
5.0exploitability
6.4remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.