79 matches found
CVE-2022-31093 Improper Handling of `callbackUrl` parameter in next-auth
NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid callbackUrl query parameter, which internally is converted to a URL object. The URL instantiation would fail due ...
CVE-2022-31093 Improper Handling of `callbackUrl` parameter in next-auth
NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid callbackUrl query parameter, which internally is converted to a URL object. The URL instantiation would fail due ...
CVE-2022-31093
NextAuth.js (for Next.js) contains a vulnerability where an invalid callbackUrl query parameter can be passed, causing the URL constructor to throw an unhandled error and leading to API route timeouts and login failures. This issue has concrete fixes: upgrading to versions 3.29.5 or 4.5.0 resolve...
CVE-2022-29214
NextAuth.js next-auth is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this issue. The maintainers...
Open redirect
NextAuth.js next-auth is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this issue. The maintainers...
NextAuth.js输入验证错误漏洞
NextAuth.js is a Next.js authentication. An input validation error vulnerability exists in versions of NextAuth.js prior to 3.29.3 and 4.3.3, which stems from an application departing open redirect vulnerability when deploying the OAuth 1.0 program...
CVE-2022-29214
CVE-2022-29214 affects NextAuth.js (next-auth). The vulnerability is an open redirect when implementing an OAuth 1 provider, present in versions prior to 3.29.3 (v3) and 4.3.3 (v4). A patch exists in those respective versions (3.29.3 and 4.3.3). If upgrading is not possible, a workaround is docum...
CVE-2022-29214 URL Redirection to Untrusted Site ('Open Redirect') in next-auth
NextAuth.js next-auth is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this issue. The maintainers...
CVE-2022-29214 URL Redirection to Untrusted Site ('Open Redirect') in next-auth
NextAuth.js next-auth is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this issue. The maintainers...
CVE-2022-29214 URL Redirection to Untrusted Site ('Open Redirect') in next-auth
NextAuth.js next-auth is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this issue. The maintainers...
GHSA-F9WG-5F46-CJMW NextAuth.js default redirect callback vulnerable to open redirects
next-auth v3 users before version 3.29.2 are impacted. We recommend upgrading to v4 in most cases. See our migration guide.next-auth v4 users before version 4.3.2 are impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a...
NextAuth.js default redirect callback vulnerable to open redirects
next-auth v3 users before version 3.29.2 are impacted. We recommend upgrading to v4 in most cases. See our migration guide.next-auth v4 users before version 4.3.2 are impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a...
CVE-2021-21310
NextAuth.js next-auth is am open source authentication solution for Next.js applications. In next-auth before version 3.3.0 there is a token verification vulnerability. Implementations using the Prisma database adapter in conjunction with the Email provider are impacted. Implementations using the...
CVE-2021-21310
NextAuth.js next-auth is am open source authentication solution for Next.js applications. In next-auth before version 3.3.0 there is a token verification vulnerability. Implementations using the Prisma database adapter in conjunction with the Email provider are impacted. Implementations using the...
Default configuration
NextAuth.js next-auth is am open source authentication solution for Next.js applications. In next-auth before version 3.3.0 there is a token verification vulnerability. Implementations using the Prisma database adapter in conjunction with the Email provider are impacted. Implementations using the...
CVE-2021-21310
NextAuth.js next-auth is am open source authentication solution for Next.js applications. In next-auth before version 3.3.0 there is a token verification vulnerability. Implementations using the Prisma database adapter in conjunction with the Email provider are impacted. Implementations using the...
CVE-2021-21310
NextAuth.js (next-auth) token verification vulnerability affects the Prisma database adapter when used with the Email provider (before 3.3.0). The defect: verification tokens were checked but not the associated email identifier, enabling sign-in as another user with a valid token. The issue is sp...
CVE-2021-21310 Token verification bug in next-auth
NextAuth.js next-auth is am open source authentication solution for Next.js applications. In next-auth before version 3.3.0 there is a token verification vulnerability. Implementations using the Prisma database adapter in conjunction with the Email provider are impacted. Implementations using the...
Token verification bug in next-auth
Impact Implementations using the Prisma database adapter with the Email provider are impacted. Implementations using the Prisma database adapter that are not using the Email provider are not impacted. Implementations using the default database adapter TypeORM with the Email provider are not...