CVE-2025-46344 — Auth0 NextJS SDK v4 Missing Session Invalidation

Description

### Overview Auth0 NextJS `v4.0.1` to `v4.5.0` does not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. ### Am I Affected? You are affected if you are using Auth0 NextJS SDK v4. ### Fix Upgrade to `v4.5.1`.

How to fix CVE-2025-46344

To remediate CVE-2025-46344, upgrade the affected package to a fixed version below.

npm/@auth0/nextjs-auth0—upgrade to 4.5.1 or later

Is CVE-2025-46344 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.0.1, < 4.5.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-46344
PATCHgithub.com/auth0/nextjs-auth0
WEBgithub.com/auth0/nextjs-auth0/commit/a4f061aed02ffa132feca8adfbd11704df17e1c3
WEBgithub.com/auth0/nextjs-auth0/releases/tag/v4.5.1