Overview
Auth0 NextJS v4.0.1 to v4.5.0 does not invoke .setExpirationTime when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid.
Am I Affected?
You are affected if you are using Auth0 NextJS SDK v4.
Fix
Upgrade to v4.5.1 or greater.
Overview
Auth0 NextJS
v4.0.1tov4.5.0does not invoke.setExpirationTimewhen generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid.Am I Affected?
You are affected if you are using Auth0 NextJS SDK v4.
Fix
Upgrade to
v4.5.1or greater.