7.5

CVE-2022-31093

Improper Handling of `callbackUrl` parameter in next-auth

NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Nextauth.JsNext-auth SwPlatformnode.js Version >= 3.0.0 < 3.29.5
Nextauth.JsNext-auth SwPlatformnode.js Version >= 4.0.0 < 4.5.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.57% 0.722
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-754 Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85
Patch
Third Party Advisory
https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6
Patch
Third Party Advisory
https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432
Third Party Advisory
Mitigation
https://next-auth.js.org/configuration/initialization#advanced-initialization
Vendor Advisory