CVE-2023-48309

NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://authjs.dev/guides/basics/role-based-access-control	Technical Description
https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10	Patch
https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89	Vendor Advisory
https://next-auth.js.org/configuration/nextjs#advanced-usage	Technical Description
https://next-auth.js.org/configuration/nextjs#middlewar	Technical Description

Configurations

Configuration 1 (hide)

cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*

History

25 Nov 2023, 02:18

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
CPE		cpe:2.3:a:nextauth.js:next-auth::::::node.js::*
First Time		Nextauth.js Nextauth.js next-auth
References	~~() https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89 -~~	() https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89 - Vendor Advisory
References	~~() https://next-auth.js.org/configuration/nextjs#advanced-usage -~~	() https://next-auth.js.org/configuration/nextjs#advanced-usage - Technical Description
References	~~() https://next-auth.js.org/configuration/nextjs#middlewar -~~	() https://next-auth.js.org/configuration/nextjs#middlewar - Technical Description
References	~~() https://authjs.dev/guides/basics/role-based-access-control -~~	() https://authjs.dev/guides/basics/role-based-access-control - Technical Description
References	~~() https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10 -~~	() https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10 - Patch

20 Nov 2023, 19:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-20 19:15

Updated : 2023-12-10 15:26

NVD link : CVE-2023-48309

Mitre link : CVE-2023-48309

CVE.ORG link : CVE-2023-48309

JSON object : View

Products Affected

nextauth.js

next-auth

CWE

CWE-285

Improper Authorization

CWE-863

Incorrect Authorization

5.3 /10