Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-n9ve-cf9e-rbe8

Summary The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. This issue has been patched in version 4.5.1.

Aliases

alias	CVE-2025-46344

alias	GHSA-pjr6-jx7r-j4r6

Fixed_packages

url pkg:npm/%40auth0/nextjs-auth0@4.5.1

purl pkg:npm/%40auth0/nextjs-auth0@4.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-nk75-q6bm-k3bk

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540auth0/nextjs-auth0@4.5.1

Affected_packages

url pkg:npm/%40auth0/nextjs-auth0@4.0.1

purl pkg:npm/%40auth0/nextjs-auth0@4.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-n9ve-cf9e-rbe8

vulnerability	VCID-nk75-q6bm-k3bk

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540auth0/nextjs-auth0@4.0.1

url pkg:npm/%40auth0/nextjs-auth0@4.0.2

purl pkg:npm/%40auth0/nextjs-auth0@4.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-n9ve-cf9e-rbe8

vulnerability	VCID-nk75-q6bm-k3bk

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540auth0/nextjs-auth0@4.0.2

url pkg:npm/%40auth0/nextjs-auth0@4.0.3

purl pkg:npm/%40auth0/nextjs-auth0@4.0.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-n9ve-cf9e-rbe8

vulnerability	VCID-nk75-q6bm-k3bk

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540auth0/nextjs-auth0@4.0.3

url pkg:npm/%40auth0/nextjs-auth0@4.1.0

purl pkg:npm/%40auth0/nextjs-auth0@4.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-n9ve-cf9e-rbe8

vulnerability	VCID-nk75-q6bm-k3bk

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540auth0/nextjs-auth0@4.1.0

url pkg:npm/%40auth0/nextjs-auth0@4.2.0

purl pkg:npm/%40auth0/nextjs-auth0@4.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-n9ve-cf9e-rbe8

vulnerability	VCID-nk75-q6bm-k3bk

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540auth0/nextjs-auth0@4.2.0

url pkg:npm/%40auth0/nextjs-auth0@4.2.1

purl pkg:npm/%40auth0/nextjs-auth0@4.2.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-n9ve-cf9e-rbe8

vulnerability	VCID-nk75-q6bm-k3bk

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540auth0/nextjs-auth0@4.2.1

url pkg:npm/%40auth0/nextjs-auth0@4.3.0

purl pkg:npm/%40auth0/nextjs-auth0@4.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-n9ve-cf9e-rbe8

vulnerability	VCID-nk75-q6bm-k3bk

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540auth0/nextjs-auth0@4.3.0

url pkg:npm/%40auth0/nextjs-auth0@4.4.0

purl pkg:npm/%40auth0/nextjs-auth0@4.4.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-n9ve-cf9e-rbe8

vulnerability	VCID-nk75-q6bm-k3bk

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540auth0/nextjs-auth0@4.4.0

url pkg:npm/%40auth0/nextjs-auth0@4.4.1

purl pkg:npm/%40auth0/nextjs-auth0@4.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-n9ve-cf9e-rbe8

vulnerability	VCID-nk75-q6bm-k3bk

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540auth0/nextjs-auth0@4.4.1

url pkg:npm/%40auth0/nextjs-auth0@4.4.2

purl pkg:npm/%40auth0/nextjs-auth0@4.4.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-n9ve-cf9e-rbe8

vulnerability	VCID-nk75-q6bm-k3bk

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540auth0/nextjs-auth0@4.4.2

url pkg:npm/%40auth0/nextjs-auth0@4.5.0

purl pkg:npm/%40auth0/nextjs-auth0@4.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-n9ve-cf9e-rbe8

vulnerability	VCID-nk75-q6bm-k3bk

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540auth0/nextjs-auth0@4.5.0

References

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-46344

reference_id

reference_type

scores

value	0.00349
scoring_system	epss
scoring_elements	0.5779
published_at	2026-06-11T12:55:00Z

value	0.00349
scoring_system	epss
scoring_elements	0.57908
published_at	2026-06-14T12:55:00Z

value	0.00349
scoring_system	epss
scoring_elements	0.57918
published_at	2026-06-13T12:55:00Z

value	0.00349
scoring_system	epss
scoring_elements	0.57902
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-46344

reference_url

https://github.com/auth0/nextjs-auth0

reference_id

reference_type

scores

value	4.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/auth0/nextjs-auth0

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-46344

reference_id

reference_type

scores

value	4.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-46344

reference_url

https://github.com/auth0/nextjs-auth0/commit/a4f061aed02ffa132feca8adfbd11704df17e1c3

reference_id

a4f061aed02ffa132feca8adfbd11704df17e1c3

reference_type

scores

value	4.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T13:17:34Z/

url

https://github.com/auth0/nextjs-auth0/commit/a4f061aed02ffa132feca8adfbd11704df17e1c3

reference_url

https://github.com/advisories/GHSA-pjr6-jx7r-j4r6

reference_id

GHSA-pjr6-jx7r-j4r6

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-pjr6-jx7r-j4r6

reference_url

https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-pjr6-jx7r-j4r6

reference_id

GHSA-pjr6-jx7r-j4r6

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	4.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T13:17:34Z/

url

https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-pjr6-jx7r-j4r6

reference_url

https://github.com/auth0/nextjs-auth0/releases/tag/v4.5.1

reference_id

v4.5.1

reference_type

scores

value	4.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T13:17:34Z/

url

https://github.com/auth0/nextjs-auth0/releases/tag/v4.5.1

Weaknesses

cwe_id	613
name	Insufficient Session Expiration
description	According to WASC, Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 4.0 - 6.9

Exploitability 0.5

Weighted_severity 6.2

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n9ve-cf9e-rbe8

Vulnerability Instance