CVE-2022-31186

NextAuth.js is a complete open source authentication solution for Next.js applications. An information disclosure vulnerability in next-auth before v4.10.2 and v3.29.9 allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log whi...

CVE-2022-31093

NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid callbackUrl query parameter, which internally is converted to a URL object. The URL instantiation would fail due ...

CVE-2022-35924

NextAuth.js is a complete open source authentication solution for Next.js applications. next-auth users who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected. If an attacker could forge a request that sent a comma-separated list of emails eg.:...

EUVD-2025-36636

NextAuthjs Email misdelivery Vulnerability...

EUVD-2021-0562

Malware in sbrugna...

EUVD-2022-6592

Malicious code in bioql PyPI...

EUVD-2022-6383

Malicious code in bioql PyPI...

EUVD-2022-4862

Malicious code in bioql PyPI...

EUVD-2023-3038

Malicious code in bioql PyPI...

EUVD-2023-0931

Malicious code in bioql PyPI...

EUVD-2022-6046

Malicious code in bioql PyPI...

EUVD-2022-6649

Malicious code in bioql PyPI...

CVE-2023-27490

NextAuth.js is an open source authentication solution for Next.js applications. next-auth applications using OAuth provider versions before v4.20.1 have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social...

CVE-2022-29214

NextAuth.js next-auth is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this issue. The maintainers...

CVE-2021-21310

NextAuth.js next-auth is am open source authentication solution for Next.js applications. In next-auth before version 3.3.0 there is a token verification vulnerability. Implementations using the Prisma database adapter in conjunction with the Email provider are impacted. Implementations using the...

CVE-2022-31127

NextAuth.js is a complete open source authentication solution for Next.js applications. An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.:...

Improper Authorization

next-auth is vulnerable to Improper Authorization. A malicious actor could create an empty/mock user by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow state, PKCE or nonce. Manually overriding the next-auth.session-token cookie value with this non-related JWT woul...

CVE-2023-48309

NextAuth.js provides authentication for Next.js. next-auth applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth...

Design/Logic Flaw

NextAuth.js provides authentication for Next.js. next-auth applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth...

CVE-2023-48309 next-auth vulnerable to possible user mocking that bypasses basic authentication

NextAuth.js provides authentication for Next.js. next-auth applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth...