CVE-2022-24858
6.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
Summary
next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a redirect callback, make sure that you match the incoming url origin against the baseUrl.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nextauthjs | next-auth | < 3.29.2, < 4.3.2 | affected |
Weaknesses
- CWE-290: CWE-290: Authentication Bypass by Spoofing
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw
- https://next-auth.js.org/configuration/callbacks#redirect-callback
- https://next-auth.js.org/getting-started/upgrade-v4
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw
- https://next-auth.js.org/configuration/callbacks#redirect-callback
- https://next-auth.js.org/getting-started/upgrade-v4
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.