CVE-2025-46344

N/A Unknown
Published: April 29, 2025 Modified: April 15, 2026
View on NVD

Description

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. This issue has been patched in version 4.5.1.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/auth0/nextjs-auth0/commit/a4f061aed02ffa132feca8adfbd11704df17e1c3
Source: security-advisories@github.com
https://github.com/auth0/nextjs-auth0/releases/tag/v4.5.1
Source: security-advisories@github.com
https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-pjr6-jx7r-j4r6
Source: security-advisories@github.com

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
N/A / 10.0
EPSS (Exploit Probability)
0.3%
48th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-613

Related CVEs

CVE-2026-7073 7.3
CVE-2026-7072 7.3
CVE-2026-7071 5.3
CVE-2026-7070 7.3
CVE-2026-7069 8.0