CVE-2022-24858 Information
Description
next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason you can add a configuration to your callbacks option. If you already have a redirect callback make sure that you match the incoming url origin against the baseUrl.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Reference
https://next-auth.js.org/getting-started/upgrade-v4
https://next-auth.js.org/configuration/callbacks#redirect-callback
https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw
next-auth
v3
users
before
version
3.29.2
are
impacted.
next-auth
version
4
users
before
version
4.3.2
are
also
impacted.
Upgrading
to
3.29.2
or
4.3.2
will
patch
this
vulnerability.
If
you
are
not
able
to
upgrade
for
any
reason
you
can
add
a
configuration
to
your
callbacks
option.
If
you
already
have
a
redirect
callback
make
sure
that
you
match
the
incoming
url
origin
against
the
baseUrl.
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
REQUIRED
Confidentiality Impact
CHANGED
Integrity Impact
LOW
Availability Impact
LOW
Base Score
NONE
Base Severity
6.1
Share on: