CVE-2025-46344 is a vulnerability in the Auth0 Next.js SDK, specifically affecting versions from 4.0.1 up to but not including 4.5.1. This SDK is widely used to implement user authentication in Next.js web applications. The core issue arises because the SDK fails to invoke the `.setExpirationTime` method when generating JSON Web Encryption (JWE) tokens for user sessions. Consequently, the JWE tokens lack an internal expiration claim, meaning they do not have a built-in expiry time. Although the session cookie itself may expire or be cleared by the client or server, the JWE token remains valid indefinitely until explicitly invalidated or replaced. This insufficient session expiration can lead to prolonged validity of authentication tokens beyond intended session lifetimes, increasing the risk that stolen or intercepted tokens could be reused by attackers to gain unauthorized access. The vulnerability is classified under CWE-613 (Insufficient Session Expiration), highlighting the failure to properly expire session tokens. The issue was addressed and patched in version 4.5.1 of the nextjs-auth0 SDK. The CVSS 4.0 base score is 4.9 (medium severity), reflecting that the vulnerability can be exploited remotely without user interaction or privileges, but requires some level of access (privileges) to obtain the token. The impact primarily affects the integrity and availability of user sessions, as attackers could maintain unauthorized access for extended periods. No known exploits are currently reported in the wild. This vulnerability is particularly relevant for web applications relying on nextjs-auth0 for authentication, as the lack of token expiration undermines session management security best practices and could facilitate session hijacking or replay attacks if tokens are compromised.

For European organizations, the impact of this vulnerability can be significant, especially for those operating customer-facing web applications or internal portals using Next.js with the nextjs-auth0 SDK versions 4.0.1 to 4.5.0. The indefinite validity of JWE tokens increases the risk of session hijacking, allowing attackers to impersonate legitimate users for prolonged periods. This can lead to unauthorized access to sensitive personal data, intellectual property, or critical business functions, potentially violating GDPR requirements around data protection and session security. Organizations in sectors such as finance, healthcare, e-commerce, and government services are particularly at risk due to the sensitive nature of their data and regulatory scrutiny. The vulnerability could also facilitate lateral movement within networks if attackers leverage compromised sessions to escalate privileges or access internal resources. Although no exploits are currently known in the wild, the medium severity rating and ease of remote exploitation without user interaction warrant prompt attention. Failure to address this issue could result in reputational damage, regulatory penalties, and financial losses stemming from data breaches or service disruptions.

1. Immediate upgrade: European organizations using nextjs-auth0 should upgrade to version 4.5.1 or later, where the vulnerability is patched by properly setting expiration claims on JWE tokens. 2. Token invalidation: Implement server-side mechanisms to invalidate or rotate tokens periodically, independent of client-side cookie expiration, to reduce risk from long-lived tokens. 3. Session monitoring: Deploy anomaly detection to identify unusual session durations or repeated token usage patterns that may indicate token misuse. 4. Secure token storage: Ensure tokens are stored securely on the client side, using HttpOnly and Secure cookie flags to mitigate theft via cross-site scripting (XSS). 5. Multi-factor authentication (MFA): Enforce MFA to reduce the impact of compromised tokens by requiring additional verification factors. 6. Incident response readiness: Prepare for potential session hijacking incidents by having procedures to revoke tokens and force user re-authentication. 7. Code audit: Review custom authentication and session management code to ensure no other token expiration issues exist. 8. User education: Inform developers and security teams about the importance of token expiration and session management best practices to prevent similar issues.