Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/61418?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/61418?format=api", "purl": "pkg:npm/next-auth@4.0.0", "type": "npm", "namespace": "", "name": "next-auth", "version": "4.0.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.3.2", "latest_non_vulnerable_version": "5.0.0-beta.30", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42935?format=api", "vulnerability_id": "VCID-8r8h-7m4p-f3hz", "summary": "NextAuth.js default redirect callback vulnerable to open redirects\nnext-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.", "references": [ { "reference_url": "https://github.com/nextauthjs/next-auth/commit/6e15bdcb2d93c1ad5ee3889f702607637e79db50", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nextauthjs/next-auth/commit/6e15bdcb2d93c1ad5ee3889f702607637e79db50" }, { "reference_url": "https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.2" }, { "reference_url": "https://next-auth.js.org/configuration/callbacks#redirect-callback", "reference_id": "", "reference_type": "", "scores": [], "url": "https://next-auth.js.org/configuration/callbacks#redirect-callback" }, { "reference_url": "https://next-auth.js.org/getting-started/upgrade-v4", "reference_id": "", "reference_type": "", "scores": [], "url": "https://next-auth.js.org/getting-started/upgrade-v4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24858", "reference_id": "CVE-2022-24858", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24858" }, { "reference_url": "https://github.com/advisories/GHSA-f9wg-5f46-cjmw", "reference_id": "GHSA-f9wg-5f46-cjmw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f9wg-5f46-cjmw" }, { "reference_url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw", "reference_id": "GHSA-f9wg-5f46-cjmw", "reference_type": "", "scores": [], "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61420?format=api", "purl": "pkg:npm/next-auth@4.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.3.2" } ], "aliases": [ "CVE-2022-24858", "GHSA-f9wg-5f46-cjmw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8r8h-7m4p-f3hz" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.0.0" }