Описание
Auth0 NextJS SDK v4 Missing Session Invalidation
Overview
Auth0 NextJS v4.0.1 to v4.5.0 does not invoke .setExpirationTime when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid.
Am I Affected?
You are affected if you are using Auth0 NextJS SDK v4.
Fix
Upgrade to v4.5.1.
Пакеты
@auth0/nextjs-auth0
>= 4.0.1, < 4.5.1
4.5.1
Связанные уязвимости
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. This issue has been patched in version 4.5.1.