AIKIDO-2025-10276
@auth0/nextjs-auth0 is vulnerable to Insufficient Session Expiration
66
Medium Risk
This Affects:
@auth0/nextjs-auth0TL;DR
Affected versions of this package did not enforce an expiration for the JSON Web Encryption (JWE) token within the cookie, relying solely on the cookie's expiry setting, which means that the JWE token remains valid even after the cookie expiration. An attacker can take leverage of this misconfiguration by extracting the JWE token from an expired cookie and reusing it in malicious requests, bypassing session termination. Since the server only checked the cookie's expiration and not the embedded expiration of the JWE token, this flaw could lead to unauthorized access.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@auth0/nextjs-auth0 is vulnerable to Insufficient Session Expiration in versions 4.0.2 - 4.5.0.
How to fix this
Upgrade the @auth0/nextjs-auth0 library to the patch version.
Links
GitHub Release
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant