ghsa-g5fm-jp9v-2432
Vulnerability from github
Impact
An attacker can send a request to an app using NextAuth.js with an invalid callbackUrl query parameter, which internally we convert to a URL object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to our API route handler timing out and logging in to fail. This has been remedied in the following releases:
next-auth v3 users before version 3.29.5 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)
next-auth v4 users before version 4.5.0 are impacted.
Patches
We've released patches for this vulnerability in:
- v3 -
3.29.5 - v4 -
4.5.0
You can do:
sh
npm i next-auth@latest
or
sh
yarn add next-auth@latest
or
sh
pnpm add next-auth@latest
(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended.)
Workarounds
If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Here is an example:
Before:
```js // pages/api/auth/[...nextauth].js import NextAuth from "next-auth"
export default NextAuth(/ your config /) ```
After:
```js // pages/api/auth/[...nextauth].js import NextAuth from "next-auth"
function isValidHttpUrl(url) { try { return /^https?:/.test(url).protocol } catch { return false; } }
export default async function handler(req, res) { if ( req.query.callbackUrl && !isValidHttpUrl(req.query.callbackUrl) ) { return res.status(500).send(''); }
return await NextAuth(req, res, / your config /) } ```
References
This vulnerability was discovered not long after https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74 was published and is very similar in nature.
Related documentation:
- https://next-auth.js.org/getting-started/client#specifying-a-callbackurl
- https://next-auth.js.org/configuration/callbacks#redirect-callback
A test case has been added so this kind of issue will be checked before publishing. See: https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6
For more information
If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability
Timeline
The issue was reported 2022 June 10th, a response was sent out to the reporter in less than 2 hours, and a patch was published within 3 hours.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "next-auth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.29.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next-auth"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31093"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-21T20:06:36Z",
"nvd_published_at": "2022-06-27T22:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nAn attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally we convert to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to our **API route handler timing out and logging in to fail**. This has been remedied in the following releases:\n\nnext-auth v3 users before version 3.29.5 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our [migration guide](https://next-auth.js.org/getting-started/upgrade-v4))\n\nnext-auth v4 users before version 4.5.0 are impacted.\n\n### Patches\n\nWe\u0027ve released patches for this vulnerability in:\n \n- v3 - `3.29.5`\n- v4 - `4.5.0`\n\nYou can do:\n\n```sh\nnpm i next-auth@latest\n```\n\nor\n\n```sh\nyarn add next-auth@latest\n```\n\nor\n\n```sh\npnpm add next-auth@latest\n```\n\n(This will update to the latest v4 version, but you can change `latest` to `3` if you want to stay on v3. This is not recommended.)\n\n### Workarounds\n\nIf for some reason you cannot upgrade, the workaround requires you to rely on [Advanced Initialization](https://next-auth.js.org/configuration/initialization#advanced-initialization). Here is an example:\n\n**Before:**\n\n```js\n// pages/api/auth/[...nextauth].js\nimport NextAuth from \"next-auth\"\n\nexport default NextAuth(/* your config */)\n```\n\n**After:**\n\n```js\n// pages/api/auth/[...nextauth].js\nimport NextAuth from \"next-auth\"\n\nfunction isValidHttpUrl(url) {\n try {\n return /^https?:/.test(url).protocol\n } catch {\n return false;\n }\n}\n\nexport default async function handler(req, res) {\n if (\n req.query.callbackUrl \u0026\u0026\n !isValidHttpUrl(req.query.callbackUrl)\n ) {\n return res.status(500).send(\u0027\u0027);\n }\n \n return await NextAuth(req, res, /* your config */)\n}\n```\n\n\n### References\n\nThis vulnerability was discovered not long after https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74 was published and is very similar in nature.\n\nRelated documentation:\n\n- https://next-auth.js.org/getting-started/client#specifying-a-callbackurl\n- https://next-auth.js.org/configuration/callbacks#redirect-callback\n\nA test case has been added so this kind of issue will be checked before publishing. See: https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6\n\n### For more information\n\nIf you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability\n\n### Timeline\n\nThe issue was reported 2022 June 10th, a response was sent out to the reporter in less than 2 hours, and a patch was published within 3 hours.",
"id": "GHSA-g5fm-jp9v-2432",
"modified": "2022-07-08T17:05:36Z",
"published": "2022-06-21T20:06:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31093"
},
{
"type": "WEB",
"url": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85"
},
{
"type": "WEB",
"url": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6"
},
{
"type": "PACKAGE",
"url": "https://github.com/nextauthjs/next-auth"
},
{
"type": "WEB",
"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Handling of `callbackUrl` parameter in next-auth"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.