Vulnerabilites related to nextauth.js - next-auth
Vulnerability from fkie_nvd
Published
2023-03-09 21:15
Modified
2024-11-21 07:53
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to **log in as the victim**, bypassing the CSRF protection. This is due to a partial failure during a compromised OAuth session where a session code is erroneously generated. This issue has been addressed in version 4.20.1. Users are advised to upgrade. Users unable to upgrade may using Advanced Initialization, manually check the callback request for state, pkce, and nonce against the provider configuration to prevent this issue. See the linked GHSA for details.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nextauth.js | next-auth | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "D58C0028-EA90-4BFA-BD7B-03775AE4FC42",
"versionEndExcluding": "4.20.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim\u0027s network or who is able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to **log in as the victim**, bypassing the CSRF protection. This is due to a partial failure during a compromised OAuth session where a session code is erroneously generated. This issue has been addressed in version 4.20.1. Users are advised to upgrade. Users unable to upgrade may using Advanced Initialization, manually check the callback request for state, pkce, and nonce against the provider configuration to prevent this issue. See the linked GHSA for details."
}
],
"id": "CVE-2023-27490",
"lastModified": "2024-11-21T07:53:00.680",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-09T21:15:11.913",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://authjs.dev/reference/core/providers#checks"
},
{
"source": "security-advisories@github.com",
"tags": [
"Not Applicable"
],
"url": "https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qf"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://next-auth.js.org/configuration/providers/oauth"
},
{
"source": "security-advisories@github.com",
"url": "https://security.netapp.com/advisory/ntap-20230420-0006/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Not Applicable"
],
"url": "https://www.rfc-editor.org/rfc/rfc6749#section-10.12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://authjs.dev/reference/core/providers#checks"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://next-auth.js.org/configuration/providers/oauth"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20230420-0006/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://www.rfc-editor.org/rfc/rfc6749#section-10.12"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
},
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-19 23:15
Modified
2024-11-21 06:51
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nextauth.js | next-auth | * | |
| nextauth.js | next-auth | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "0E5C04FB-E569-40FF-8C92-15537801B135",
"versionEndExcluding": "3.29.2",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "C0B0CDDB-30B2-48C4-A992-45D8477DB821",
"versionEndExcluding": "4.3.2",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`."
},
{
"lang": "es",
"value": "Los usuarios de next-auth versiones v3 anteriores a 3.29.2 est\u00e1n afectados. Los usuarios de next-auth versiones4 anteriores a la versi\u00f3n 4.3.2 tambi\u00e9n est\u00e1n afectados. La actualizaci\u00f3n a la versi\u00f3n 3.29.2 o 4.3.2 corregir\u00e1 esta vulnerabilidad. Si no puede actualizar por alguna raz\u00f3n, puede a\u00f1adir una configuraci\u00f3n a su opci\u00f3n de callbacks. Si ya presenta una llamada de retorno \"redirect\", aseg\u00farese de que el origen \"url\" entrante coincida con el \"baseUrl\""
}
],
"id": "CVE-2022-24858",
"lastModified": "2024-11-21T06:51:15.040",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-19T23:15:13.317",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/configuration/callbacks#redirect-callback"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/getting-started/upgrade-v4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/configuration/callbacks#redirect-callback"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/getting-started/upgrade-v4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-290"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-06 18:15
Modified
2024-11-21 07:03
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
NextAuth.js is a complete open source authentication solution for Next.js applications. An attacker can pass a compromised input to the e-mail [signin endpoint](https://next-auth.js.org/getting-started/rest-api#post-apiauthsigninprovider) that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: `balazs@email.com, <a href="http://attacker.com">Before signing in, claim your money!</a>`. This was previously sent to `balazs@email.com`, and the content of the email containing a link to the attacker's site was rendered in the HTML. This has been remedied in the following releases, by simply not rendering that e-mail in the HTML, since it should be obvious to the receiver what e-mail they used: next-auth v3 users before version 3.29.8 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. next-auth v4 users before version 4.9.0 are impacted. If for some reason you cannot upgrade, the workaround requires you to sanitize the `email` parameter that is passed to `sendVerificationRequest` and rendered in the HTML. If you haven't created a custom `sendVerificationRequest`, you only need to upgrade. Otherwise, make sure to either exclude `email` from the HTML body or efficiently sanitize it.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nextauth.js | next-auth | * | |
| nextauth.js | next-auth | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "D6D5F0DD-25B0-4A7E-9F90-04E6D3A910EE",
"versionEndExcluding": "3.29.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "F1463014-6B40-4A67-B484-F9102997C292",
"versionEndExcluding": "4.9.0",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "NextAuth.js is a complete open source authentication solution for Next.js applications. An attacker can pass a compromised input to the e-mail [signin endpoint](https://next-auth.js.org/getting-started/rest-api#post-apiauthsigninprovider) that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: `balazs@email.com, \u003ca href=\"http://attacker.com\"\u003eBefore signing in, claim your money!\u003c/a\u003e`. This was previously sent to `balazs@email.com`, and the content of the email containing a link to the attacker\u0027s site was rendered in the HTML. This has been remedied in the following releases, by simply not rendering that e-mail in the HTML, since it should be obvious to the receiver what e-mail they used: next-auth v3 users before version 3.29.8 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. next-auth v4 users before version 4.9.0 are impacted. If for some reason you cannot upgrade, the workaround requires you to sanitize the `email` parameter that is passed to `sendVerificationRequest` and rendered in the HTML. If you haven\u0027t created a custom `sendVerificationRequest`, you only need to upgrade. Otherwise, make sure to either exclude `email` from the HTML body or efficiently sanitize it."
},
{
"lang": "es",
"value": "NextAuth.js es una completa soluci\u00f3n de autenticaci\u00f3n de c\u00f3digo abierto para aplicaciones Next.js. Un atacante puede pasar una entrada comprometida al correo electr\u00f3nico [signin endpoint](https://next-auth.js.org/getting-started/rest-api#post-apiauthsigninprovider) que contiene alg\u00fan HTML malicioso, enga\u00f1ando al servidor de correo electr\u00f3nico para que lo env\u00ede al usuario, y as\u00ed poder llevar a cabo un ataque de phishing. Eg.: \"balazs@email.com, (a href=\"http://attacker.com\")Before signing in, claim your money!(/a)\". Anteriormente era enviado a \"balazs@email.com\", y el contenido del correo electr\u00f3nico que conten\u00eda un enlace al sitio del atacante era renderizado en el HTML. Esto ha sido mitigado en las siguientes versiones, simplemente no renderizando ese correo electr\u00f3nico en el HTML, ya que deber\u00eda ser obvio para el receptor qu\u00e9 correo electr\u00f3nico fue usado: los usuarios de next-auth versiones v3 anteriores a 3.29.8 est\u00e1n afectados. (Recomendamos actualizar a la versi\u00f3n v4, ya que la versi\u00f3n v3 es considerada sin mantenimiento. Los usuarios de next-auth versiones v4 anteriores a 4.9.0 est\u00e1n afectados. Si por alguna raz\u00f3n no puedes actualizar, la mitigaci\u00f3n requiere que sea saneado el par\u00e1metro \"email\" que es pasado a \"sendVerificationRequest\" y es mostrado en el HTML. Si no has creado un \"sendVerificationRequest\" personalizado, s\u00f3lo tienes que actualizar. En caso contrario, aseg\u00farese de excluir \"email\" del cuerpo del HTML o de sanearlo eficazmente"
}
],
"id": "CVE-2022-31127",
"lastModified": "2024-11-21T07:03:57.163",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-06T18:15:19.497",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/commit/ae834f1e08a4a9915665eecb9479c74c6b039c9c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.9.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pgjx-7f9g-9463"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/getting-started/upgrade-v4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/providers/email#customizing-emails"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/commit/ae834f1e08a4a9915665eecb9479c74c6b039c9c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.9.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pgjx-7f9g-9463"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/getting-started/upgrade-v4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/providers/email#customizing-emails"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-27 22:15
Modified
2024-11-21 07:03
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nextauth.js | next-auth | * | |
| nextauth.js | next-auth | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "9433E695-3D8D-4D49-B349-C3C68F013FEE",
"versionEndExcluding": "3.29.5",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "6D08EEB4-7815-4127-B2CA-BE4B4258D8CD",
"versionEndExcluding": "4.5.0",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more."
},
{
"lang": "es",
"value": "NextAuth.js es una soluci\u00f3n completa de autenticaci\u00f3n de c\u00f3digo abierto para aplicaciones Next.js. En las versiones afectadas, un atacante puede enviar una petici\u00f3n a una aplicaci\u00f3n usando NextAuth.js con un par\u00e1metro de consulta \"callbackUrl\" no v\u00e1lido, que internamente es convertido en un objeto \"URL\". La instanciaci\u00f3n de la URL fallaba debido a que era pasada una URL malformada al constructor, lo que causaba que fuera lanzado un error no manejado que conllevaba a que el **manejador de rutas de la API se desconectara y el inicio de sesi\u00f3n fallara**. Esto ha sido remediado en versiones 3.29.5 y 4.5.0. Si por alguna raz\u00f3n no puedes actualizar, la mitigaci\u00f3n requiere que te apoyes en la Inicializaci\u00f3n Avanzada. Consulte la documentaci\u00f3n para obtener m\u00e1s informaci\u00f3n"
}
],
"id": "CVE-2022-31093",
"lastModified": "2024-11-21T07:03:52.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-27T22:15:09.047",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-754"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-11 22:15
Modified
2024-11-21 05:47
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. In next-auth before version 3.3.0 there is a token verification vulnerability. Implementations using the Prisma database adapter in conjunction with the Email provider are impacted. Implementations using the Email provider with the default database adapter are not impacted. Implementations using the Prisma database adapter but not using the Email provider are not impacted. The Prisma database adapter was checking the verification token, but was not verifying the email address associated with that token. This made it possible to use a valid token to sign in as another user when using the Prima adapter in conjunction with the Email provider. This issue is specific to the community supported Prisma adapter. This issue is fixed in version 3.3.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/nextauthjs/next-auth/releases/tag/v3.3.0 | Third Party Advisory | |
| security-advisories@github.com | https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pg53-56cg-4m8q | Exploit, Third Party Advisory | |
| security-advisories@github.com | https://www.npmjs.com/package/next-auth | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextauthjs/next-auth/releases/tag/v3.3.0 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pg53-56cg-4m8q | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.npmjs.com/package/next-auth | Product, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nextauth.js | next-auth | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "33AEB592-BAC1-4FE4-84E0-C8F9E95BF8E5",
"versionEndExcluding": "3.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. In next-auth before version 3.3.0 there is a token verification vulnerability. Implementations using the Prisma database adapter in conjunction with the Email provider are impacted. Implementations using the Email provider with the default database adapter are not impacted. Implementations using the Prisma database adapter but not using the Email provider are not impacted. The Prisma database adapter was checking the verification token, but was not verifying the email address associated with that token. This made it possible to use a valid token to sign in as another user when using the Prima adapter in conjunction with the Email provider. This issue is specific to the community supported Prisma adapter. This issue is fixed in version 3.3.0."
},
{
"lang": "es",
"value": "NextAuth.js (next-auth) es una soluci\u00f3n de autenticaci\u00f3n de c\u00f3digo abierto para aplicaciones Next.js.\u0026#xa0;En next-auth versiones anteriores a 3.3.0, se presenta una vulnerabilidad de verificaci\u00f3n de tokens.\u0026#xa0;Las implementaciones que usa el adaptador de base de datos Prisma en conjunto con el proveedor de correo electr\u00f3nico est\u00e1n afectadas.\u0026#xa0;Las implementaciones que usa el proveedor de correo electr\u00f3nico con el adaptador de base de datos predeterminado no est\u00e1n afectadas.\u0026#xa0;Las implementaciones que usa el adaptador de base de datos Prisma pero que no usa el proveedor de correo electr\u00f3nico no est\u00e1n afectadas.\u0026#xa0;El adaptador de base de datos de Prisma estaba comprobando el token de verificaci\u00f3n, pero no verificaba la direcci\u00f3n de correo electr\u00f3nico asociada con ese token.\u0026#xa0;Esto hizo posible usar un token v\u00e1lido para iniciar sesi\u00f3n como otro usuario cuando se usa el adaptador Prima en conjunto con el proveedor de correo electr\u00f3nico.\u0026#xa0;Este problema es espec\u00edfico del adaptador Prisma compatible con la comunidad.\u0026#xa0;Este problema es corregido en versi\u00f3n 3.3.0"
}
],
"id": "CVE-2021-21310",
"lastModified": "2024-11-21T05:47:59.690",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-11T22:15:12.507",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/releases/tag/v3.3.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pg53-56cg-4m8q"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://www.npmjs.com/package/next-auth"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/releases/tag/v3.3.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pg53-56cg-4m8q"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://www.npmjs.com/package/next-auth"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-290"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-02 18:15
Modified
2024-11-21 07:11
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith("@victim.com")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address. This vulnerability has been patched in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance). Users are advised to upgrade. There are no known workarounds for this vulnerability. If for some reason you cannot upgrade, you can normalize the incoming request using Advanced Initialization.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nextauth.js | next-auth | * | |
| nextauth.js | next-auth | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "97098DFC-AC04-4EAE-862A-92C6447A0520",
"versionEndExcluding": "3.29.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "5D61C7D4-4D8C-471E-A49D-2ACA7E6A8B03",
"versionEndExcluding": "4.10.3",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim\u0027s e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith(\"@victim.com\")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address. This vulnerability has been patched in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance). Users are advised to upgrade. There are no known workarounds for this vulnerability. If for some reason you cannot upgrade, you can normalize the incoming request using Advanced Initialization."
},
{
"lang": "es",
"value": "NextAuth.js es una completa soluci\u00f3n de autenticaci\u00f3n de c\u00f3digo abierto para aplicaciones Next.js. Los usuarios de \"next-auth\" que usan el \"EmailProvider\" en versiones anteriores a \"4.10.3\" o \"3.29.10\" est\u00e1n afectados. Si un atacante pudiera falsificar una petici\u00f3n que enviara una lista de correos electr\u00f3nicos separados por comas (por ejemplo: \"attacker@attacker.com,victim@victim.com\") al endpoint de inicio de sesi\u00f3n, NextAuth.js enviar\u00eda correos electr\u00f3nicos tanto al atacante como a las direcciones de correo electr\u00f3nico de la v\u00edctima. El atacante podr\u00eda entonces iniciar sesi\u00f3n como un usuario reci\u00e9n creado con el correo electr\u00f3nico \"attacker@attacker.com,victim@victim.com\". Esto significa que una autorizaci\u00f3n b\u00e1sica como \"email.endsWith(\"@v\u00edctima.com\")\" en la llamada de retorno \"signIn\" no comunicar\u00eda una amenaza al desarrollador y permitir\u00eda al atacante saltarse la autorizaci\u00f3n, incluso con una direcci\u00f3n \"@atacante.com\". Esta vulnerabilidad ha sido parcheada en versiones \"v4.10.3\" y \"v3.29.10\" al normalizar el valor del correo electr\u00f3nico que es enviado al punto final de inicio de sesi\u00f3n antes de acceder a \u00e9l en cualquier otro lugar. Tambi\u00e9n hemos a\u00f1adido una llamada de retorno \"normalizeIdentifier\" en la configuraci\u00f3n de \"EmailProvider\", donde puedes ajustar a\u00fan m\u00e1s tus requisitos para lo que tu sistema considera una direcci\u00f3n de correo electr\u00f3nico v\u00e1lida. (Por ejemplo: cumplimiento estricto del RFC2821). Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para esta vulnerabilidad. Si por alguna raz\u00f3n no puede actualizar, puede normalizar la petici\u00f3n entrante usando la Inicializaci\u00f3n Avanzada"
}
],
"id": "CVE-2022-35924",
"lastModified": "2024-11-21T07:11:58.417",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-02T18:15:08.893",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://en.wikipedia.org/wiki/Email_address#Local-part"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/commit/afb1fcdae3cc30445038ef588e491d139b916003"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-xv97-c62v-4587"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/configuration/callbacks#sign-in-callback"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/providers/email"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/providers/email#normalizing-the-e-mail-address"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://nodemailer.com/message/addresses"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://en.wikipedia.org/wiki/Email_address#Local-part"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/commit/afb1fcdae3cc30445038ef588e491d139b916003"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-xv97-c62v-4587"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/configuration/callbacks#sign-in-callback"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/providers/email"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://next-auth.js.org/providers/email#normalizing-the-e-mail-address"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://nodemailer.com/message/addresses"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-28 21:15
Modified
2024-11-21 07:17
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
`@next-auth/upstash-redis-adapter` is the Upstash Redis adapter for NextAuth.js, which provides authentication for Next.js. Applications that use `next-auth` Email Provider and `@next-auth/upstash-redis-adapter` before v3.0.2 are affected by this vulnerability. The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim's email could easily sign in as the victim, given the attacker also knows about the verification token's expired duration. The vulnerability is patched in v3.0.2. A workaround is available. Using Advanced Initialization, developers can check the requests and compare the query's token and identifier before proceeding.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nextauth.js | next-auth | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "9739A761-9DBD-4177-B34D-AC887CFE81C8",
"versionEndExcluding": "3.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "`@next-auth/upstash-redis-adapter` is the Upstash Redis adapter for NextAuth.js, which provides authentication for Next.js. Applications that use `next-auth` Email Provider and `@next-auth/upstash-redis-adapter` before v3.0.2 are affected by this vulnerability. The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim\u0027s email could easily sign in as the victim, given the attacker also knows about the verification token\u0027s expired duration. The vulnerability is patched in v3.0.2. A workaround is available. Using Advanced Initialization, developers can check the requests and compare the query\u0027s token and identifier before proceeding."
},
{
"lang": "es",
"value": "\"@next-auth/upstash-redis-adapter\" es el adaptador de Upstash Redis para NextAuth.js, que proporciona autenticaci\u00f3n para Next.js. Las aplicaciones que usan el proveedor de correo electr\u00f3nico \"next-auth\" y \"@next-auth/upstash-redis-adapter\" versiones anteriores a 3.0.2, est\u00e1n afectadas por esta vulnerabilidad. La implementaci\u00f3n del adaptador Upstash Redis no comprobaba tanto el identificador (correo electr\u00f3nico) como el token, sino que s\u00f3lo comprobaba el identificador cuando verificaba el token en el flujo de devoluci\u00f3n de llamada del correo electr\u00f3nico. Un atacante que conozca el correo electr\u00f3nico de la v\u00edctima podr\u00eda iniciar sesi\u00f3n f\u00e1cilmente como la v\u00edctima, dado que el atacante tambi\u00e9n conoce la duraci\u00f3n del token de verificaci\u00f3n. La vulnerabilidad est\u00e1 parcheada en versi\u00f3n 3.0.2. Se presenta una mitigaci\u00f3n disponible. usando la Inicializaci\u00f3n Avanzada, los desarrolladores pueden comprobar las peticiones y comparar el token y el identificador de la consulta antes de proceder"
}
],
"id": "CVE-2022-39263",
"lastModified": "2024-11-21T07:17:54.553",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-28T21:15:14.590",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/nextauthjs/next-auth/commit/d16e04848ee703cf797724194d4ad2907fe125a9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-4rxr-27mm-mxq9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/nextauthjs/next-auth/commit/d16e04848ee703cf797724194d4ad2907fe125a9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-4rxr-27mm-mxq9"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-21 00:15
Modified
2024-11-21 06:58
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this issue. The maintainers recommend adding a certain configuration to one's `callbacks` option as a workaround for those unable to upgrade.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.3 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.3 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nextauth.js | next-auth | * | |
| nextauth.js | next-auth | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "E0DBE05F-11B2-4487-B357-7820EC058426",
"versionEndExcluding": "3.29.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "DAE646D5-B116-4797-87D0-76EB1212D58C",
"versionEndExcluding": "4.3.3",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this issue. The maintainers recommend adding a certain configuration to one\u0027s `callbacks` option as a workaround for those unable to upgrade."
},
{
"lang": "es",
"value": "NextAuth.js (next-auth) es una soluci\u00f3n de autenticaci\u00f3n de c\u00f3digo abierto para aplicaciones Next.js. En versiones anteriores a 3.29.3 y 4.3.3, se presenta una vulnerabilidad de redireccionamiento abierto cuando el desarrollador implementa un proveedor OAuth 1. Las versiones 3.29.3 y 4.3.3 contienen un parche para este problema. Los mantenedores recomiendan a\u00f1adir una determinada configuraci\u00f3n a la opci\u00f3n \"callbacks\" como mitigaci\u00f3n para aquellos que no puedan actualizar"
}
],
"id": "CVE-2022-29214",
"lastModified": "2024-11-21T06:58:44.093",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-21T00:15:11.853",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-20 19:15
Modified
2024-11-21 08:31
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nextauth.js | next-auth | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "A8790D4B-02DD-46E6-84FA-B1BA7F1C94E9",
"versionEndExcluding": "4.24.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users\u0027 data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication."
},
{
"lang": "es",
"value": "NextAuth.js proporciona autenticaci\u00f3n para Next.js. Las aplicaciones `next-auth` anteriores a la versi\u00f3n 4.24.5 que dependen de la autorizaci\u00f3n de Middleware predeterminada se ven afectadas por una vulnerabilidad. Un mal actor podr\u00eda crear un usuario vac\u00edo/simulado al obtener un JWT emitido por NextAuth.js a partir de un flujo de inicio de sesi\u00f3n de OAuth interrumpido (estado, PKCE o nonce). Anular manualmente el valor de la cookie `next-auth.session-token` con este JWT no relacionado permitir\u00eda al usuario simular un usuario que ha iniciado sesi\u00f3n, aunque no tenga informaci\u00f3n de usuario asociada. (La \u00fanica propiedad de este usuario es una cadena opaca generada aleatoriamente). Esta vulnerabilidad no da acceso a los datos de otros usuarios, ni a recursos que requieran la autorizaci\u00f3n adecuada a trav\u00e9s de alcances u otros medios. El usuario simulado creado no tiene informaci\u00f3n asociada (es decir, no tiene nombre, correo electr\u00f3nico, token de acceso, etc.). Los malos actores pueden aprovechar esta vulnerabilidad para echar un vistazo a los estados de los usuarios que han iniciado sesi\u00f3n (por ejemplo, el dise\u00f1o del panel). `next-auth` `v4.24.5` contiene un parche para la vulnerabilidad. Como workaround, al utilizar una devoluci\u00f3n de llamada de autorizaci\u00f3n personalizada para Middleware, los desarrolladores pueden realizar manualmente una autenticaci\u00f3n b\u00e1sica."
}
],
"id": "CVE-2023-48309",
"lastModified": "2024-11-21T08:31:27.620",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-20T19:15:09.243",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://authjs.dev/guides/basics/role-based-access-control"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89"
},
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://next-auth.js.org/configuration/nextjs#advanced-usage"
},
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://next-auth.js.org/configuration/nextjs#middlewar"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://authjs.dev/guides/basics/role-based-access-control"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://next-auth.js.org/configuration/nextjs#advanced-usage"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://next-auth.js.org/configuration/nextjs#middlewar"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
},
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
CVE-2022-29214 (GCVE-0-2022-29214)
Vulnerability from cvelistv5
Published
2022-05-20 23:45
Modified
2025-04-23 18:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Summary
NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this issue. The maintainers recommend adding a certain configuration to one's `callbacks` option as a workaround for those unable to upgrade.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74 | x_refsource_CONFIRM | |
| https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.3 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextauthjs | next-auth |
Version: < 3.29.3 Version: >= 4.0.0, < 4.3.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:54.257Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29214",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:06:57.338140Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:23:37.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "next-auth",
"vendor": "nextauthjs",
"versions": [
{
"status": "affected",
"version": "\u003c 3.29.3"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this issue. The maintainers recommend adding a certain configuration to one\u0027s `callbacks` option as a workaround for those unable to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-20T23:45:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.3"
}
],
"source": {
"advisory": "GHSA-q2mx-j4x2-2h74",
"discovery": "UNKNOWN"
},
"title": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) in next-auth",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29214",
"STATE": "PUBLIC",
"TITLE": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) in next-auth"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "next-auth",
"version": {
"version_data": [
{
"version_value": "\u003c 3.29.3"
},
{
"version_value": "\u003e= 4.0.0, \u003c 4.3.3"
}
]
}
}
]
},
"vendor_name": "nextauthjs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this issue. The maintainers recommend adding a certain configuration to one\u0027s `callbacks` option as a workaround for those unable to upgrade."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74",
"refsource": "CONFIRM",
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74"
},
{
"name": "https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.3",
"refsource": "MISC",
"url": "https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.3"
}
]
},
"source": {
"advisory": "GHSA-q2mx-j4x2-2h74",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29214",
"datePublished": "2022-05-20T23:45:11.000Z",
"dateReserved": "2022-04-13T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:23:37.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24858 (GCVE-0-2022-24858)
Vulnerability from cvelistv5
Published
2022-04-19 22:25
Modified
2025-04-23 18:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-290 - Authentication Bypass by Spoofing
Summary
next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw | x_refsource_CONFIRM | |
| https://next-auth.js.org/configuration/callbacks#redirect-callback | x_refsource_MISC | |
| https://next-auth.js.org/getting-started/upgrade-v4 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextauthjs | next-auth |
Version: < 3.29.2, < 4.3.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.660Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://next-auth.js.org/configuration/callbacks#redirect-callback"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://next-auth.js.org/getting-started/upgrade-v4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24858",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:08:09.810528Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:33:56.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "next-auth",
"vendor": "nextauthjs",
"versions": [
{
"status": "affected",
"version": "\u003c 3.29.2, \u003c 4.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T22:25:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://next-auth.js.org/configuration/callbacks#redirect-callback"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://next-auth.js.org/getting-started/upgrade-v4"
}
],
"source": {
"advisory": "GHSA-f9wg-5f46-cjmw",
"discovery": "UNKNOWN"
},
"title": "Default redirect callback vulnerable to open redirects",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24858",
"STATE": "PUBLIC",
"TITLE": "Default redirect callback vulnerable to open redirects"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "next-auth",
"version": {
"version_data": [
{
"version_value": "\u003c 3.29.2, \u003c 4.3.2"
}
]
}
}
]
},
"vendor_name": "nextauthjs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-290: Authentication Bypass by Spoofing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw",
"refsource": "CONFIRM",
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw"
},
{
"name": "https://next-auth.js.org/configuration/callbacks#redirect-callback",
"refsource": "MISC",
"url": "https://next-auth.js.org/configuration/callbacks#redirect-callback"
},
{
"name": "https://next-auth.js.org/getting-started/upgrade-v4",
"refsource": "MISC",
"url": "https://next-auth.js.org/getting-started/upgrade-v4"
}
]
},
"source": {
"advisory": "GHSA-f9wg-5f46-cjmw",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24858",
"datePublished": "2022-04-19T22:25:10.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:33:56.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31093 (GCVE-0-2022-31093)
Vulnerability from cvelistv5
Published
2022-06-27 21:30
Modified
2025-04-23 18:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Summary
NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextauthjs | next-auth |
Version: < 3.29.5 Version: >= 4.0.0, < 4.5.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.437Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:53:50.471341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:06:46.737Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "next-auth",
"vendor": "nextauthjs",
"versions": [
{
"status": "affected",
"version": "\u003c 3.29.5"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-27T21:30:20.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
}
],
"source": {
"advisory": "GHSA-g5fm-jp9v-2432",
"discovery": "UNKNOWN"
},
"title": "Improper Handling of `callbackUrl` parameter in next-auth",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31093",
"STATE": "PUBLIC",
"TITLE": "Improper Handling of `callbackUrl` parameter in next-auth"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "next-auth",
"version": {
"version_data": [
{
"version_value": "\u003c 3.29.5"
},
{
"version_value": "\u003e= 4.0.0, \u003c 4.5.0"
}
]
}
}
]
},
"vendor_name": "nextauthjs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-754: Improper Check for Unusual or Exceptional Conditions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432",
"refsource": "CONFIRM",
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432"
},
{
"name": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85",
"refsource": "MISC",
"url": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85"
},
{
"name": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6",
"refsource": "MISC",
"url": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6"
},
{
"name": "https://next-auth.js.org/configuration/initialization#advanced-initialization",
"refsource": "MISC",
"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
}
]
},
"source": {
"advisory": "GHSA-g5fm-jp9v-2432",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31093",
"datePublished": "2022-06-27T21:30:20.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:06:46.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39263 (GCVE-0-2022-39263)
Vulnerability from cvelistv5
Published
2022-09-28 21:05
Modified
2025-04-23 16:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
`@next-auth/upstash-redis-adapter` is the Upstash Redis adapter for NextAuth.js, which provides authentication for Next.js. Applications that use `next-auth` Email Provider and `@next-auth/upstash-redis-adapter` before v3.0.2 are affected by this vulnerability. The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim's email could easily sign in as the victim, given the attacker also knows about the verification token's expired duration. The vulnerability is patched in v3.0.2. A workaround is available. Using Advanced Initialization, developers can check the requests and compare the query's token and identifier before proceeding.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nextauthjs/next-auth/security/advisories/GHSA-4rxr-27mm-mxq9 | x_refsource_CONFIRM | |
| https://github.com/nextauthjs/next-auth/commit/d16e04848ee703cf797724194d4ad2907fe125a9 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextauthjs | next-auth |
Version: < 3.0.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:43.453Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-4rxr-27mm-mxq9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/commit/d16e04848ee703cf797724194d4ad2907fe125a9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39263",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:48:44.642001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:54:22.841Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "next-auth",
"vendor": "nextauthjs",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "`@next-auth/upstash-redis-adapter` is the Upstash Redis adapter for NextAuth.js, which provides authentication for Next.js. Applications that use `next-auth` Email Provider and `@next-auth/upstash-redis-adapter` before v3.0.2 are affected by this vulnerability. The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim\u0027s email could easily sign in as the victim, given the attacker also knows about the verification token\u0027s expired duration. The vulnerability is patched in v3.0.2. A workaround is available. Using Advanced Initialization, developers can check the requests and compare the query\u0027s token and identifier before proceeding."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-28T21:05:09.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-4rxr-27mm-mxq9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextauthjs/next-auth/commit/d16e04848ee703cf797724194d4ad2907fe125a9"
}
],
"source": {
"advisory": "GHSA-4rxr-27mm-mxq9",
"discovery": "UNKNOWN"
},
"title": "NextAuth.js Upstash Adapter missing token verification",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-39263",
"STATE": "PUBLIC",
"TITLE": "NextAuth.js Upstash Adapter missing token verification"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "next-auth",
"version": {
"version_data": [
{
"version_value": "\u003c 3.0.2"
}
]
}
}
]
},
"vendor_name": "nextauthjs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "`@next-auth/upstash-redis-adapter` is the Upstash Redis adapter for NextAuth.js, which provides authentication for Next.js. Applications that use `next-auth` Email Provider and `@next-auth/upstash-redis-adapter` before v3.0.2 are affected by this vulnerability. The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim\u0027s email could easily sign in as the victim, given the attacker also knows about the verification token\u0027s expired duration. The vulnerability is patched in v3.0.2. A workaround is available. Using Advanced Initialization, developers can check the requests and compare the query\u0027s token and identifier before proceeding."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-4rxr-27mm-mxq9",
"refsource": "CONFIRM",
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-4rxr-27mm-mxq9"
},
{
"name": "https://github.com/nextauthjs/next-auth/commit/d16e04848ee703cf797724194d4ad2907fe125a9",
"refsource": "MISC",
"url": "https://github.com/nextauthjs/next-auth/commit/d16e04848ee703cf797724194d4ad2907fe125a9"
}
]
},
"source": {
"advisory": "GHSA-4rxr-27mm-mxq9",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39263",
"datePublished": "2022-09-28T21:05:09.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:54:22.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-27490 (GCVE-0-2023-27490)
Vulnerability from cvelistv5
Published
2023-03-09 20:37
Modified
2025-02-25 14:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to **log in as the victim**, bypassing the CSRF protection. This is due to a partial failure during a compromised OAuth session where a session code is erroneously generated. This issue has been addressed in version 4.20.1. Users are advised to upgrade. Users unable to upgrade may using Advanced Initialization, manually check the callback request for state, pkce, and nonce against the provider configuration to prevent this issue. See the linked GHSA for details.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qf | x_refsource_CONFIRM | |
| https://authjs.dev/reference/core/providers#checks | x_refsource_MISC | |
| https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/ | x_refsource_MISC | |
| https://next-auth.js.org/configuration/initialization#advanced-initialization | x_refsource_MISC | |
| https://next-auth.js.org/configuration/providers/oauth | x_refsource_MISC | |
| https://www.rfc-editor.org/rfc/rfc6749#section-10.12 | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20230420-0006/ |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextauthjs | next-auth |
Version: < 4.20.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:16:35.318Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qf"
},
{
"name": "https://authjs.dev/reference/core/providers#checks",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://authjs.dev/reference/core/providers#checks"
},
{
"name": "https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/"
},
{
"name": "https://next-auth.js.org/configuration/initialization#advanced-initialization",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
},
{
"name": "https://next-auth.js.org/configuration/providers/oauth",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://next-auth.js.org/configuration/providers/oauth"
},
{
"name": "https://www.rfc-editor.org/rfc/rfc6749#section-10.12",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.rfc-editor.org/rfc/rfc6749#section-10.12"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230420-0006/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27490",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:29:38.244440Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:59:02.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "next-auth",
"vendor": "nextauthjs",
"versions": [
{
"status": "affected",
"version": "\u003c 4.20.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim\u0027s network or who is able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to **log in as the victim**, bypassing the CSRF protection. This is due to a partial failure during a compromised OAuth session where a session code is erroneously generated. This issue has been addressed in version 4.20.1. Users are advised to upgrade. Users unable to upgrade may using Advanced Initialization, manually check the callback request for state, pkce, and nonce against the provider configuration to prevent this issue. See the linked GHSA for details."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-20T08:06:22.818Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qf"
},
{
"name": "https://authjs.dev/reference/core/providers#checks",
"tags": [
"x_refsource_MISC"
],
"url": "https://authjs.dev/reference/core/providers#checks"
},
{
"name": "https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/",
"tags": [
"x_refsource_MISC"
],
"url": "https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/"
},
{
"name": "https://next-auth.js.org/configuration/initialization#advanced-initialization",
"tags": [
"x_refsource_MISC"
],
"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
},
{
"name": "https://next-auth.js.org/configuration/providers/oauth",
"tags": [
"x_refsource_MISC"
],
"url": "https://next-auth.js.org/configuration/providers/oauth"
},
{
"name": "https://www.rfc-editor.org/rfc/rfc6749#section-10.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.rfc-editor.org/rfc/rfc6749#section-10.12"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230420-0006/"
}
],
"source": {
"advisory": "GHSA-7r7x-4c4q-c4qf",
"discovery": "UNKNOWN"
},
"title": "Missing proper state, nonce and PKCE checks for OAuth authentication in next-auth"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-27490",
"datePublished": "2023-03-09T20:37:11.407Z",
"dateReserved": "2023-03-01T19:03:56.634Z",
"dateUpdated": "2025-02-25T14:59:02.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21310 (GCVE-0-2021-21310)
Vulnerability from cvelistv5
Published
2021-02-11 21:40
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-290 - Authentication Bypass by Spoofing
Summary
NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. In next-auth before version 3.3.0 there is a token verification vulnerability. Implementations using the Prisma database adapter in conjunction with the Email provider are impacted. Implementations using the Email provider with the default database adapter are not impacted. Implementations using the Prisma database adapter but not using the Email provider are not impacted. The Prisma database adapter was checking the verification token, but was not verifying the email address associated with that token. This made it possible to use a valid token to sign in as another user when using the Prima adapter in conjunction with the Email provider. This issue is specific to the community supported Prisma adapter. This issue is fixed in version 3.3.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pg53-56cg-4m8q | x_refsource_CONFIRM | |
| https://www.npmjs.com/package/next-auth | x_refsource_MISC | |
| https://github.com/nextauthjs/next-auth/releases/tag/v3.3.0 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextauthjs | next-auth |
Version: < 3.3.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.328Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pg53-56cg-4m8q"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.npmjs.com/package/next-auth"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/releases/tag/v3.3.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "next-auth",
"vendor": "nextauthjs",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. In next-auth before version 3.3.0 there is a token verification vulnerability. Implementations using the Prisma database adapter in conjunction with the Email provider are impacted. Implementations using the Email provider with the default database adapter are not impacted. Implementations using the Prisma database adapter but not using the Email provider are not impacted. The Prisma database adapter was checking the verification token, but was not verifying the email address associated with that token. This made it possible to use a valid token to sign in as another user when using the Prima adapter in conjunction with the Email provider. This issue is specific to the community supported Prisma adapter. This issue is fixed in version 3.3.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-11T21:40:16",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pg53-56cg-4m8q"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.npmjs.com/package/next-auth"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextauthjs/next-auth/releases/tag/v3.3.0"
}
],
"source": {
"advisory": "GHSA-pg53-56cg-4m8q",
"discovery": "UNKNOWN"
},
"title": "Token verification bug in next-auth",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21310",
"STATE": "PUBLIC",
"TITLE": "Token verification bug in next-auth"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "next-auth",
"version": {
"version_data": [
{
"version_value": "\u003c 3.3.0"
}
]
}
}
]
},
"vendor_name": "nextauthjs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. In next-auth before version 3.3.0 there is a token verification vulnerability. Implementations using the Prisma database adapter in conjunction with the Email provider are impacted. Implementations using the Email provider with the default database adapter are not impacted. Implementations using the Prisma database adapter but not using the Email provider are not impacted. The Prisma database adapter was checking the verification token, but was not verifying the email address associated with that token. This made it possible to use a valid token to sign in as another user when using the Prima adapter in conjunction with the Email provider. This issue is specific to the community supported Prisma adapter. This issue is fixed in version 3.3.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-290: Authentication Bypass by Spoofing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pg53-56cg-4m8q",
"refsource": "CONFIRM",
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pg53-56cg-4m8q"
},
{
"name": "https://www.npmjs.com/package/next-auth",
"refsource": "MISC",
"url": "https://www.npmjs.com/package/next-auth"
},
{
"name": "https://github.com/nextauthjs/next-auth/releases/tag/v3.3.0",
"refsource": "MISC",
"url": "https://github.com/nextauthjs/next-auth/releases/tag/v3.3.0"
}
]
},
"source": {
"advisory": "GHSA-pg53-56cg-4m8q",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21310",
"datePublished": "2021-02-11T21:40:16",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-48309 (GCVE-0-2023-48309)
Vulnerability from cvelistv5
Published
2023-11-20 18:25
Modified
2024-08-29 13:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89 | x_refsource_CONFIRM | |
| https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10 | x_refsource_MISC | |
| https://authjs.dev/guides/basics/role-based-access-control | x_refsource_MISC | |
| https://next-auth.js.org/configuration/nextjs#advanced-usage | x_refsource_MISC | |
| https://next-auth.js.org/configuration/nextjs#middlewar | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextauthjs | next-auth |
Version: < 4.24.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:23:39.608Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89"
},
{
"name": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10"
},
{
"name": "https://authjs.dev/guides/basics/role-based-access-control",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://authjs.dev/guides/basics/role-based-access-control"
},
{
"name": "https://next-auth.js.org/configuration/nextjs#advanced-usage",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://next-auth.js.org/configuration/nextjs#advanced-usage"
},
{
"name": "https://next-auth.js.org/configuration/nextjs#middlewar",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://next-auth.js.org/configuration/nextjs#middlewar"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-48309",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T13:40:21.107207Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T13:41:03.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "next-auth",
"vendor": "nextauthjs",
"versions": [
{
"status": "affected",
"version": "\u003c 4.24.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users\u0027 data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-20T18:25:01.896Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89"
},
{
"name": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10"
},
{
"name": "https://authjs.dev/guides/basics/role-based-access-control",
"tags": [
"x_refsource_MISC"
],
"url": "https://authjs.dev/guides/basics/role-based-access-control"
},
{
"name": "https://next-auth.js.org/configuration/nextjs#advanced-usage",
"tags": [
"x_refsource_MISC"
],
"url": "https://next-auth.js.org/configuration/nextjs#advanced-usage"
},
{
"name": "https://next-auth.js.org/configuration/nextjs#middlewar",
"tags": [
"x_refsource_MISC"
],
"url": "https://next-auth.js.org/configuration/nextjs#middlewar"
}
],
"source": {
"advisory": "GHSA-v64w-49xw-qq89",
"discovery": "UNKNOWN"
},
"title": "next-auth vulnerable to possible user mocking that bypasses basic authentication"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-48309",
"datePublished": "2023-11-20T18:25:01.896Z",
"dateReserved": "2023-11-14T17:41:15.572Z",
"dateUpdated": "2024-08-29T13:41:03.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35924 (GCVE-0-2022-35924)
Vulnerability from cvelistv5
Published
2022-08-02 17:55
Modified
2025-04-23 17:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith("@victim.com")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address. This vulnerability has been patched in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance). Users are advised to upgrade. There are no known workarounds for this vulnerability. If for some reason you cannot upgrade, you can normalize the incoming request using Advanced Initialization.
References
| ▼ | URL | Tags |
|---|---|---|
| https://next-auth.js.org/configuration/initialization#advanced-initialization | x_refsource_MISC | |
| https://github.com/nextauthjs/next-auth/security/advisories/GHSA-xv97-c62v-4587 | x_refsource_CONFIRM | |
| https://github.com/nextauthjs/next-auth/commit/afb1fcdae3cc30445038ef588e491d139b916003 | x_refsource_MISC | |
| https://en.wikipedia.org/wiki/Email_address#Local-part | x_refsource_MISC | |
| https://next-auth.js.org/configuration/callbacks#sign-in-callback | x_refsource_MISC | |
| https://next-auth.js.org/providers/email | x_refsource_MISC | |
| https://next-auth.js.org/providers/email#normalizing-the-e-mail-address | x_refsource_MISC | |
| https://nodemailer.com/message/addresses | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextauthjs | next-auth |
Version: >= 4.0.0, < 4.10.3 Version: < 3.29.10 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:58.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-xv97-c62v-4587"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/commit/afb1fcdae3cc30445038ef588e491d139b916003"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://en.wikipedia.org/wiki/Email_address#Local-part"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://next-auth.js.org/configuration/callbacks#sign-in-callback"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://next-auth.js.org/providers/email"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://next-auth.js.org/providers/email#normalizing-the-e-mail-address"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodemailer.com/message/addresses"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-35924",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:48:47.718684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:54:19.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "next-auth",
"vendor": "nextauthjs",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.10.3"
},
{
"status": "affected",
"version": "\u003c 3.29.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim\u0027s e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith(\"@victim.com\")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address. This vulnerability has been patched in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance). Users are advised to upgrade. There are no known workarounds for this vulnerability. If for some reason you cannot upgrade, you can normalize the incoming request using Advanced Initialization."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-02T17:55:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-xv97-c62v-4587"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextauthjs/next-auth/commit/afb1fcdae3cc30445038ef588e491d139b916003"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://en.wikipedia.org/wiki/Email_address#Local-part"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://next-auth.js.org/configuration/callbacks#sign-in-callback"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://next-auth.js.org/providers/email"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://next-auth.js.org/providers/email#normalizing-the-e-mail-address"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodemailer.com/message/addresses"
}
],
"source": {
"advisory": "GHSA-xv97-c62v-4587",
"discovery": "UNKNOWN"
},
"title": "Verification requests (magic link) sent to unwanted emails",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-35924",
"STATE": "PUBLIC",
"TITLE": "Verification requests (magic link) sent to unwanted emails"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "next-auth",
"version": {
"version_data": [
{
"version_value": "\u003e= 4.0.0, \u003c 4.10.3"
},
{
"version_value": "\u003c 3.29.10"
}
]
}
}
]
},
"vendor_name": "nextauthjs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim\u0027s e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith(\"@victim.com\")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address. This vulnerability has been patched in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance). Users are advised to upgrade. There are no known workarounds for this vulnerability. If for some reason you cannot upgrade, you can normalize the incoming request using Advanced Initialization."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://next-auth.js.org/configuration/initialization#advanced-initialization",
"refsource": "MISC",
"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
},
{
"name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-xv97-c62v-4587",
"refsource": "CONFIRM",
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-xv97-c62v-4587"
},
{
"name": "https://github.com/nextauthjs/next-auth/commit/afb1fcdae3cc30445038ef588e491d139b916003",
"refsource": "MISC",
"url": "https://github.com/nextauthjs/next-auth/commit/afb1fcdae3cc30445038ef588e491d139b916003"
},
{
"name": "https://en.wikipedia.org/wiki/Email_address#Local-part",
"refsource": "MISC",
"url": "https://en.wikipedia.org/wiki/Email_address#Local-part"
},
{
"name": "https://next-auth.js.org/configuration/callbacks#sign-in-callback",
"refsource": "MISC",
"url": "https://next-auth.js.org/configuration/callbacks#sign-in-callback"
},
{
"name": "https://next-auth.js.org/providers/email",
"refsource": "MISC",
"url": "https://next-auth.js.org/providers/email"
},
{
"name": "https://next-auth.js.org/providers/email#normalizing-the-e-mail-address",
"refsource": "MISC",
"url": "https://next-auth.js.org/providers/email#normalizing-the-e-mail-address"
},
{
"name": "https://nodemailer.com/message/addresses",
"refsource": "MISC",
"url": "https://nodemailer.com/message/addresses"
}
]
},
"source": {
"advisory": "GHSA-xv97-c62v-4587",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-35924",
"datePublished": "2022-08-02T17:55:13.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:54:19.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31127 (GCVE-0-2022-31127)
Vulnerability from cvelistv5
Published
2022-07-06 18:00
Modified
2025-04-22 17:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
NextAuth.js is a complete open source authentication solution for Next.js applications. An attacker can pass a compromised input to the e-mail [signin endpoint](https://next-auth.js.org/getting-started/rest-api#post-apiauthsigninprovider) that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: `balazs@email.com, <a href="http://attacker.com">Before signing in, claim your money!</a>`. This was previously sent to `balazs@email.com`, and the content of the email containing a link to the attacker's site was rendered in the HTML. This has been remedied in the following releases, by simply not rendering that e-mail in the HTML, since it should be obvious to the receiver what e-mail they used: next-auth v3 users before version 3.29.8 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. next-auth v4 users before version 4.9.0 are impacted. If for some reason you cannot upgrade, the workaround requires you to sanitize the `email` parameter that is passed to `sendVerificationRequest` and rendered in the HTML. If you haven't created a custom `sendVerificationRequest`, you only need to upgrade. Otherwise, make sure to either exclude `email` from the HTML body or efficiently sanitize it.
References
| ▼ | URL | Tags |
|---|---|---|
| https://next-auth.js.org/getting-started/upgrade-v4 | x_refsource_MISC | |
| https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pgjx-7f9g-9463 | x_refsource_CONFIRM | |
| https://github.com/nextauthjs/next-auth/commit/ae834f1e08a4a9915665eecb9479c74c6b039c9c | x_refsource_MISC | |
| https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.9.0 | x_refsource_MISC | |
| https://next-auth.js.org/providers/email#customizing-emails | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextauthjs | next-auth |
Version: < 3.29.8 Version: >= 4.0.0, < 4.9.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.115Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://next-auth.js.org/getting-started/upgrade-v4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pgjx-7f9g-9463"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/commit/ae834f1e08a4a9915665eecb9479c74c6b039c9c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.9.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://next-auth.js.org/providers/email#customizing-emails"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31127",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:45:38.302117Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:51:28.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "next-auth",
"vendor": "nextauthjs",
"versions": [
{
"status": "affected",
"version": "\u003c 3.29.8"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NextAuth.js is a complete open source authentication solution for Next.js applications. An attacker can pass a compromised input to the e-mail [signin endpoint](https://next-auth.js.org/getting-started/rest-api#post-apiauthsigninprovider) that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: `balazs@email.com, \u003ca href=\"http://attacker.com\"\u003eBefore signing in, claim your money!\u003c/a\u003e`. This was previously sent to `balazs@email.com`, and the content of the email containing a link to the attacker\u0027s site was rendered in the HTML. This has been remedied in the following releases, by simply not rendering that e-mail in the HTML, since it should be obvious to the receiver what e-mail they used: next-auth v3 users before version 3.29.8 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. next-auth v4 users before version 4.9.0 are impacted. If for some reason you cannot upgrade, the workaround requires you to sanitize the `email` parameter that is passed to `sendVerificationRequest` and rendered in the HTML. If you haven\u0027t created a custom `sendVerificationRequest`, you only need to upgrade. Otherwise, make sure to either exclude `email` from the HTML body or efficiently sanitize it."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-06T18:00:16.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://next-auth.js.org/getting-started/upgrade-v4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pgjx-7f9g-9463"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextauthjs/next-auth/commit/ae834f1e08a4a9915665eecb9479c74c6b039c9c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.9.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://next-auth.js.org/providers/email#customizing-emails"
}
],
"source": {
"advisory": "GHSA-pgjx-7f9g-9463",
"discovery": "UNKNOWN"
},
"title": "Improper handling of email input in next-auth",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31127",
"STATE": "PUBLIC",
"TITLE": "Improper handling of email input in next-auth"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "next-auth",
"version": {
"version_data": [
{
"version_value": "\u003c 3.29.8"
},
{
"version_value": "\u003e= 4.0.0, \u003c 4.9.0"
}
]
}
}
]
},
"vendor_name": "nextauthjs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "NextAuth.js is a complete open source authentication solution for Next.js applications. An attacker can pass a compromised input to the e-mail [signin endpoint](https://next-auth.js.org/getting-started/rest-api#post-apiauthsigninprovider) that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: `balazs@email.com, \u003ca href=\"http://attacker.com\"\u003eBefore signing in, claim your money!\u003c/a\u003e`. This was previously sent to `balazs@email.com`, and the content of the email containing a link to the attacker\u0027s site was rendered in the HTML. This has been remedied in the following releases, by simply not rendering that e-mail in the HTML, since it should be obvious to the receiver what e-mail they used: next-auth v3 users before version 3.29.8 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. next-auth v4 users before version 4.9.0 are impacted. If for some reason you cannot upgrade, the workaround requires you to sanitize the `email` parameter that is passed to `sendVerificationRequest` and rendered in the HTML. If you haven\u0027t created a custom `sendVerificationRequest`, you only need to upgrade. Otherwise, make sure to either exclude `email` from the HTML body or efficiently sanitize it."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://next-auth.js.org/getting-started/upgrade-v4",
"refsource": "MISC",
"url": "https://next-auth.js.org/getting-started/upgrade-v4"
},
{
"name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pgjx-7f9g-9463",
"refsource": "CONFIRM",
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pgjx-7f9g-9463"
},
{
"name": "https://github.com/nextauthjs/next-auth/commit/ae834f1e08a4a9915665eecb9479c74c6b039c9c",
"refsource": "MISC",
"url": "https://github.com/nextauthjs/next-auth/commit/ae834f1e08a4a9915665eecb9479c74c6b039c9c"
},
{
"name": "https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.9.0",
"refsource": "MISC",
"url": "https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.9.0"
},
{
"name": "https://next-auth.js.org/providers/email#customizing-emails",
"refsource": "MISC",
"url": "https://next-auth.js.org/providers/email#customizing-emails"
}
]
},
"source": {
"advisory": "GHSA-pgjx-7f9g-9463",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31127",
"datePublished": "2022-07-06T18:00:16.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:51:28.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}