CVE Vulnerability

CVE-2022-31093

NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85 Patch Third Party Advisory
https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6 Patch Third Party Advisory
https://next-auth.js.org/configuration/initialization#advanced-initialization Vendor Advisory
https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432 Mitigation Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*
cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*
Information

Published : 2022-06-27 10:15

Updated : 2022-07-07 07:45

NVD link : CVE-2022-31093

Mitre link : CVE-2022-31093

Products Affected
No products.
CWE
CWE-754