Improper Neutralization

Overview next-auth is an Authentication for Next.js Affected versions of this package are vulnerable to Improper Neutralization in the email validation component. An attacker can intercept sensitive authentication emails by submitting a specially crafted email address that manipulates the parsing...

@aangeles/jefeui (>=1.10.0 <=1.11.6), @aipmorg/chat (=1.5.3) +54 more potentially affected by unknown CVE via next-auth (>=5.0.0-beta.11 <=5.0.0-beta.3)

next-auth NPM version =5.0.0-beta.11, =1.10.0, =1.10.3, =0.1.0, =1.2.4-main.7f918ee.29, =0.0.2, =1.0.0, =0.1.6, =0.152.1, =1.0.0, =0.106.0, =0.122.0-rc.13 - @irshadkhan-dev/pandapulse-db =0.0.1 and more Source cves: unknown CVE Source advisory: OSV:GHSA-5JPX-9HW9-2FX4...

EUVD-2022-1719

Malicious code in bioql PyPI...

CVE-2022-24858

next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already...

MAL-2025-3794 Malicious code in next-auth-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c0038c51339b63eb3fe77a5d623ae004832f05cc831ff582362d202f30a49072 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in next-auth-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c0038c51339b63eb3fe77a5d623ae004832f05cc831ff582362d202f30a49072 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Security Bulletin: next-auth-4.24.3.tgz is vulnerable to CVE-2023-48309 used in IBM Maximo Application Suite - Edge Data Collector

Summary IBM Maximo Application Suite - Edge Data Collector uses next-auth-4.24.3.tgz which is vulnerable to CVE-2023-48309 Vulnerability Details CVEID:CVE-2023-48309 DESCRIPTION: Auth.js next-auth could allow a remote attacker to obtain sensitive information, caused by improper authentication...

Possible user mocking that bypasses basic authentication

Impact next-auth applications prior to version 4.24.5 that rely on the default Middleware authorization are affected. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow state, PKCE or nonce. Manually overriding the...

GHSA-V64W-49XW-QQ89 Possible user mocking that bypasses basic authentication

Impact next-auth applications prior to version 4.24.5 that rely on the default Middleware authorization are affected. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow state, PKCE or nonce. Manually overriding the...

CVE-2023-48309 next-auth vulnerable to possible user mocking that bypasses basic authentication

NextAuth.js provides authentication for Next.js. next-auth applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth...

Cross-Site Request Forgery (CSRF)

next-auth is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability exists due to the missing state, nonce, and PKCE checks for OAuth authentication, which allows an attacker to bypass the CSRF protection...

@app-box/web (=1.0.0), @chirpy-dev/analytics (=0.0.1) +46 more potentially affected by CVE-2023-27490 via next-auth (>=0.0.0-manual.83c4ebd1 <=4.1.2)

next-auth NPM version =0.0.0-manual.83c4ebd1, =3.0.0-canary.160.0, =2.0.1-canary.24.0, =4.0.0-alpha.24, =4.0.0-alpha.1, =4.0.0-alpha.6, =1.0.99-0.next12, =0.1.0, =0.46.0, =0.30.0, =0.3.0, =0.10.0, =0.13.3 and more Source cves: CVE-2023-27490 Source advisory: OSV:GHSA-7R7X-4C4Q-C4QF...

GHSA-7R7X-4C4Q-C4QF Missing proper state, nonce and PKCE checks for OAuth authentication

Impact next-auth applications using OAuth provider versions before v4.20.1 are affected. A bad actor who can spy on the victim's network or able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to log in as the victim, bypassing...

Missing proper state, nonce and PKCE checks for OAuth authentication

Impact next-auth applications using OAuth provider versions before v4.20.1 are affected. A bad actor who can spy on the victim's network or able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to log in as the victim, bypassing...

Upstash Adapter missing token verification

Impact Applications that use next-auth Email Provider and @next-auth/upstash-redis-adapter before v3.0.2 are affected. Description The Upstash Redis adapter implementation did not check for both the identifier email and the token, but only checking for the identifier when verifying the token in t...

GHSA-4RXR-27MM-MXQ9 Upstash Adapter missing token verification

Impact Applications that use next-auth Email Provider and @next-auth/upstash-redis-adapter before v3.0.2 are affected. Description The Upstash Redis adapter implementation did not check for both the identifier email and the token, but only checking for the identifier when verifying the token in t...

GHSA-P6MM-27GQ-9V3P next-auth before v4.10.2 and v3.29.9 leaks excessive information into log

Impact An information disclosure vulnerability in next-auth before v4.10.2 and v3.29.9 allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log which is thrown during OAuth error handling and use it to leverage further attacks o...

@app-box/web (=1.0.0), @comet/cms-site (>=3.0.0-canary.160.0 <=4.0.0-canary.1049.0) +33 more potentially affected by CVE-2022-31186 via next-auth (>=0.0.0-manual.83c4ebd1 <=3.29.10)

next-auth NPM version =0.0.0-manual.83c4ebd1, =3.0.0-canary.160.0, =2.0.1-canary.24.0, =1.0.99-0.next12, =0.1.0, =0.46.0, =0.30.0, =0.3.0, =0.10.0, =0.2.0, =0.3.0, =0.3.0, =0.4.0, =0.1.0, =0.1.3 and more Source cves: CVE-2022-31186 Source advisory: OSV:GHSA-P6MM-27GQ-9V3P...

next-auth before v4.10.2 and v3.29.9 leaks excessive information into log

Impact An information disclosure vulnerability in next-auth before v4.10.2 and v3.29.9 allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log which is thrown during OAuth error handling and use it to leverage further attacks o...

Information Disclosure

next-auth is vulnerable to information disclosure. A local authenticated attacker is able to gain access to confidential information such as identity provider's classified data from the log through error handling of oAuthCallback function...