CVE-2022-24858

next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*
cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*

History

29 Apr 2022, 23:53

Type Values Removed Values Added
CWE CWE-601
CVSS v2 : unknown
v3 : unknown
v2 : 5.8
v3 : 6.1
CPE cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*
First Time Nextauth.js
Nextauth.js next-auth
References (MISC) https://next-auth.js.org/getting-started/upgrade-v4 - (MISC) https://next-auth.js.org/getting-started/upgrade-v4 - Vendor Advisory
References (MISC) https://next-auth.js.org/configuration/callbacks#redirect-callback - (MISC) https://next-auth.js.org/configuration/callbacks#redirect-callback - Vendor Advisory
References (CONFIRM) https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw - (CONFIRM) https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw - Mitigation, Third Party Advisory

19 Apr 2022, 23:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-04-19 23:15

Updated : 2023-12-10 14:22


NVD link : CVE-2022-24858

Mitre link : CVE-2022-24858

CVE.ORG link : CVE-2022-24858


JSON object : View

Products Affected

nextauth.js

  • next-auth
CWE
CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

CWE-290

Authentication Bypass by Spoofing