next-auth security vulnerability

🗓️ 20 Nov 2023 00:00:00Reported by China National Vulnerability Database of Information SecurityType

A vulnerability in NextAuth versions before 4.24.5 lets an attacker obtain a NextAuth issued JWT from an interrupted OAuth login and create a simulated user to snoop on the logged-in user.

Reporter	Title	Published	Views	Family All 13
IBM Security Bulletins	Security Bulletin: next-auth-4.24.3.tgz is vulnerable to CVE-2023-48309 used in IBM Maximo Application Suite - Edge Data Collector	10 Apr 202410:48	–	ibm
Circl	CVE-2023-48309	28 Dec 202302:30	–	circl
CVE	CVE-2023-48309	20 Nov 202318:25	–	cve
Cvelist	CVE-2023-48309 next-auth vulnerable to possible user mocking that bypasses basic authentication	20 Nov 202318:25	–	cvelist
EUVD	EUVD-2023-3038	3 Oct 202520:07	–	euvd
Github Security Blog	Possible user mocking that bypasses basic authentication	20 Nov 202323:25	–	github
NVD	CVE-2023-48309	20 Nov 202319:15	–	nvd
OSV	CVE-2023-48309 next-auth vulnerable to possible user mocking that bypasses basic authentication	20 Nov 202318:25	–	osv
OSV	GHSA-V64W-49XW-QQ89 Possible user mocking that bypasses basic authentication	20 Nov 202323:25	–	osv
Prion	Design/Logic Flaw	20 Nov 202319:15	–	prion

Source	Link
github	www.github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89
github	www.github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10
authjs	www.authjs.dev/guides/basics/role-based-access-control
next-auth	www.next-auth.js.org/configuration/nextjs
next-auth	www.next-auth.js.org/configuration/nextjs
cxsecurity	www.cxsecurity.com/cveshow/CVE-2023-48309/

16 Jan 2026 00:00Current

6.9Medium risk

Vulners AI Score6.9

CVSS 3.15.3

EPSS0.007

SSVC