Fluid Attacks Database

Description

Auth0 NextJS SDK v4 Missing Session Invalidation

Overview

Auth0 NextJS v4.0.1 to v4.5.0 does not invoke .setExpirationTime when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid.

Am I Affected?

You are affected if you are using Auth0 NextJS SDK v4.

Fix

Upgrade to v4.5.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	@auth0/nextjs-auth0	>=4.0.1 <4.5.1	4.5.1

Aliases

1. CVE-2025-463442. NVD-2025-463443. OSV-2025-463444. GHSA-pjr6-jx7r-j4r65. GCVE-2025-46344

References

1. https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-pjr6-jx7r-j4r62. https://github.com/auth0/nextjs-auth0/commit/a4f061aed02ffa132feca8adfbd11704df17e1c33. https://github.com/auth0/nextjs-auth0/releases/tag/v4.5.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.