Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/next-auth@2.0.0-beta.26
Typenpm
Namespace
Namenext-auth
Version2.0.0-beta.26
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.24.12
Latest_non_vulnerable_version5.0.0-beta.30
Affected_by_vulnerabilities
0
url VCID-496f-xt1n-vyg4
vulnerability_id VCID-496f-xt1n-vyg4
summary NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith("@victim.com")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address. This vulnerability has been patched in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance). Users are advised to upgrade. There are no known workarounds for this vulnerability. If for some reason you cannot upgrade, you can normalize the incoming request using Advanced Initialization.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-35924
reference_id
reference_type
scores
0
value 0.0042
scoring_system epss
scoring_elements 0.62505
published_at 2026-06-14T12:55:00Z
1
value 0.0042
scoring_system epss
scoring_elements 0.62397
published_at 2026-06-11T12:55:00Z
2
value 0.0042
scoring_system epss
scoring_elements 0.62498
published_at 2026-06-12T12:55:00Z
3
value 0.0042
scoring_system epss
scoring_elements 0.6251
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-35924
1
reference_url https://github.com/nextauthjs/next-auth
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth
2
reference_url https://next-auth.js.org/providers/email#normalizing-the-email-address
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://next-auth.js.org/providers/email#normalizing-the-email-address
3
reference_url https://nodemailer.com/message/addresses
reference_id addresses
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/
url https://nodemailer.com/message/addresses
4
reference_url https://github.com/nextauthjs/next-auth/commit/afb1fcdae3cc30445038ef588e491d139b916003
reference_id afb1fcdae3cc30445038ef588e491d139b916003
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/
url https://github.com/nextauthjs/next-auth/commit/afb1fcdae3cc30445038ef588e491d139b916003
5
reference_url https://next-auth.js.org/configuration/callbacks#sign-in-callback
reference_id callbacks#sign-in-callback
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/
url https://next-auth.js.org/configuration/callbacks#sign-in-callback
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-35924
reference_id CVE-2022-35924
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-35924
7
reference_url https://next-auth.js.org/providers/email
reference_id email
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/
url https://next-auth.js.org/providers/email
8
reference_url https://en.wikipedia.org/wiki/Email_address#Local-part
reference_id Email_address#Local-part
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/
url https://en.wikipedia.org/wiki/Email_address#Local-part
9
reference_url https://next-auth.js.org/providers/email#normalizing-the-e-mail-address
reference_id email#normalizing-the-e-mail-address
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/
url https://next-auth.js.org/providers/email#normalizing-the-e-mail-address
10
reference_url https://github.com/advisories/GHSA-xv97-c62v-4587
reference_id GHSA-xv97-c62v-4587
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xv97-c62v-4587
11
reference_url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-xv97-c62v-4587
reference_id GHSA-xv97-c62v-4587
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/
url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-xv97-c62v-4587
12
reference_url https://next-auth.js.org/configuration/initialization#advanced-initialization
reference_id initialization#advanced-initialization
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/
url https://next-auth.js.org/configuration/initialization#advanced-initialization
fixed_packages
0
url pkg:npm/next-auth@3.29.10
purl pkg:npm/next-auth@3.29.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-79cm-nfc6-gfa5
1
vulnerability VCID-9jgr-hm39-77fg
2
vulnerability VCID-smgj-837q-pfe2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@3.29.10
1
url pkg:npm/next-auth@4.10.3
purl pkg:npm/next-auth@4.10.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-79cm-nfc6-gfa5
1
vulnerability VCID-9jgr-hm39-77fg
2
vulnerability VCID-smgj-837q-pfe2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.10.3
aliases CVE-2022-35924, GHSA-xv97-c62v-4587
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-496f-xt1n-vyg4
1
url VCID-79cm-nfc6-gfa5
vulnerability_id VCID-79cm-nfc6-gfa5
summary NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-48309
reference_id
reference_type
scores
0
value 0.00295
scoring_system epss
scoring_elements 0.53308
published_at 2026-06-13T12:55:00Z
1
value 0.00295
scoring_system epss
scoring_elements 0.53295
published_at 2026-06-14T12:55:00Z
2
value 0.00295
scoring_system epss
scoring_elements 0.53166
published_at 2026-06-11T12:55:00Z
3
value 0.00295
scoring_system epss
scoring_elements 0.53293
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-48309
1
reference_url https://github.com/nextauthjs/next-auth
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-48309
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-48309
3
reference_url https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10
reference_id d237059b6d0cb868c041ba18b698e0cee20a2f10
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/
url https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10
4
reference_url https://github.com/advisories/GHSA-v64w-49xw-qq89
reference_id GHSA-v64w-49xw-qq89
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v64w-49xw-qq89
5
reference_url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89
reference_id GHSA-v64w-49xw-qq89
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/
url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89
6
reference_url https://next-auth.js.org/configuration/nextjs#advanced-usage
reference_id nextjs#advanced-usage
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/
url https://next-auth.js.org/configuration/nextjs#advanced-usage
7
reference_url https://next-auth.js.org/configuration/nextjs#middlewar
reference_id nextjs#middlewar
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/
url https://next-auth.js.org/configuration/nextjs#middlewar
8
reference_url https://authjs.dev/guides/basics/role-based-access-control
reference_id role-based-access-control
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/
url https://authjs.dev/guides/basics/role-based-access-control
fixed_packages
0
url pkg:npm/next-auth@4.24.5
purl pkg:npm/next-auth@4.24.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9jgr-hm39-77fg
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.24.5
aliases CVE-2023-48309, GHSA-v64w-49xw-qq89
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-79cm-nfc6-gfa5
2
url VCID-7pmm-9rk3-gka2
vulnerability_id VCID-7pmm-9rk3-gka2
summary next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-24858
reference_id
reference_type
scores
0
value 0.00318
scoring_system epss
scoring_elements 0.55304
published_at 2026-06-11T12:55:00Z
1
value 0.00318
scoring_system epss
scoring_elements 0.55427
published_at 2026-06-14T12:55:00Z
2
value 0.00318
scoring_system epss
scoring_elements 0.55441
published_at 2026-06-13T12:55:00Z
3
value 0.00318
scoring_system epss
scoring_elements 0.55425
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-24858
1
reference_url https://github.com/nextauthjs/next-auth
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth
2
reference_url https://github.com/nextauthjs/next-auth/commit/6e15bdcb2d93c1ad5ee3889f702607637e79db50
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth/commit/6e15bdcb2d93c1ad5ee3889f702607637e79db50
3
reference_url https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.2
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.2
4
reference_url https://next-auth.js.org/configuration/callbacks#redirect-callback
reference_id callbacks#redirect-callback
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:09Z/
url https://next-auth.js.org/configuration/callbacks#redirect-callback
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-24858
reference_id CVE-2022-24858
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-24858
6
reference_url https://github.com/advisories/GHSA-f9wg-5f46-cjmw
reference_id GHSA-f9wg-5f46-cjmw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f9wg-5f46-cjmw
7
reference_url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw
reference_id GHSA-f9wg-5f46-cjmw
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:09Z/
url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw
8
reference_url https://next-auth.js.org/getting-started/upgrade-v4
reference_id upgrade-v4
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:09Z/
url https://next-auth.js.org/getting-started/upgrade-v4
fixed_packages
0
url pkg:npm/next-auth@3.29.2
purl pkg:npm/next-auth@3.29.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@3.29.2
1
url pkg:npm/next-auth@4.0.0-beta.1
purl pkg:npm/next-auth@4.0.0-beta.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-79cm-nfc6-gfa5
1
vulnerability VCID-9jgr-hm39-77fg
2
vulnerability VCID-smgj-837q-pfe2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.0.0-beta.1
2
url pkg:npm/next-auth@4.3.2
purl pkg:npm/next-auth@4.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-496f-xt1n-vyg4
1
vulnerability VCID-79cm-nfc6-gfa5
2
vulnerability VCID-9jgr-hm39-77fg
3
vulnerability VCID-bf1j-nb43-pudk
4
vulnerability VCID-jqpb-patf-zkf7
5
vulnerability VCID-sbmn-xem7-17aw
6
vulnerability VCID-smgj-837q-pfe2
7
vulnerability VCID-yrne-9dx3-rkev
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.3.2
aliases CVE-2022-24858, GHSA-f9wg-5f46-cjmw
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7pmm-9rk3-gka2
3
url VCID-9jgr-hm39-77fg
vulnerability_id VCID-9jgr-hm39-77fg
summary NextAuthjs Email misdelivery Vulnerability
references
0
reference_url https://github.com/nextauthjs/next-auth
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth
1
reference_url https://github.com/nextauthjs/next-auth/commit/82efcf81f218aae43683f8dd2f7c260ef69b3ece
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth/commit/82efcf81f218aae43683f8dd2f7c260ef69b3ece
2
reference_url https://github.com/nextauthjs/next-auth/commit/8f3b2c7af0fe08973a12f616517c3ec85a5cd172
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth/commit/8f3b2c7af0fe08973a12f616517c3ec85a5cd172
3
reference_url https://github.com/advisories/GHSA-5jpx-9hw9-2fx4
reference_id GHSA-5jpx-9hw9-2fx4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5jpx-9hw9-2fx4
4
reference_url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-5jpx-9hw9-2fx4
reference_id GHSA-5jpx-9hw9-2fx4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-5jpx-9hw9-2fx4
fixed_packages
0
url pkg:npm/next-auth@4.24.12
purl pkg:npm/next-auth@4.24.12
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.24.12
1
url pkg:npm/next-auth@5.0.0-beta.30
purl pkg:npm/next-auth@5.0.0-beta.30
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@5.0.0-beta.30
aliases GHSA-5jpx-9hw9-2fx4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9jgr-hm39-77fg
4
url VCID-b5ve-atnr-m7cm
vulnerability_id VCID-b5ve-atnr-m7cm
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21310
reference_id
reference_type
scores
0
value 0.00371
scoring_system epss
scoring_elements 0.5933
published_at 2026-06-11T12:55:00Z
1
value 0.00371
scoring_system epss
scoring_elements 0.5944
published_at 2026-06-12T12:55:00Z
2
value 0.00371
scoring_system epss
scoring_elements 0.59452
published_at 2026-06-13T12:55:00Z
3
value 0.00371
scoring_system epss
scoring_elements 0.59443
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21310
1
reference_url https://github.com/nextauthjs/next-auth/releases/tag/v3.3.0
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth/releases/tag/v3.3.0
2
reference_url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pg53-56cg-4m8q
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pg53-56cg-4m8q
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21310
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21310
4
reference_url https://www.npmjs.com/package/next-auth
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/next-auth
5
reference_url https://github.com/advisories/GHSA-pg53-56cg-4m8q
reference_id GHSA-pg53-56cg-4m8q
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pg53-56cg-4m8q
fixed_packages
0
url pkg:npm/next-auth@3.3.0
purl pkg:npm/next-auth@3.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-496f-xt1n-vyg4
1
vulnerability VCID-79cm-nfc6-gfa5
2
vulnerability VCID-7pmm-9rk3-gka2
3
vulnerability VCID-9jgr-hm39-77fg
4
vulnerability VCID-bf1j-nb43-pudk
5
vulnerability VCID-jqpb-patf-zkf7
6
vulnerability VCID-sbmn-xem7-17aw
7
vulnerability VCID-smgj-837q-pfe2
8
vulnerability VCID-yrne-9dx3-rkev
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@3.3.0
aliases CVE-2021-21310, GHSA-pg53-56cg-4m8q
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-b5ve-atnr-m7cm
5
url VCID-jqpb-patf-zkf7
vulnerability_id VCID-jqpb-patf-zkf7
summary NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this issue. The maintainers recommend adding a certain configuration to one's `callbacks` option as a workaround for those unable to upgrade.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-29214
reference_id
reference_type
scores
0
value 0.00239
scoring_system epss
scoring_elements 0.47337
published_at 2026-06-14T12:55:00Z
1
value 0.00239
scoring_system epss
scoring_elements 0.47341
published_at 2026-06-12T12:55:00Z
2
value 0.00239
scoring_system epss
scoring_elements 0.47199
published_at 2026-06-11T12:55:00Z
3
value 0.00239
scoring_system epss
scoring_elements 0.47356
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-29214
1
reference_url https://github.com/nextauthjs/next-auth
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-29214
reference_id CVE-2022-29214
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-29214
3
reference_url https://github.com/advisories/GHSA-q2mx-j4x2-2h74
reference_id GHSA-q2mx-j4x2-2h74
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q2mx-j4x2-2h74
4
reference_url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74
reference_id GHSA-q2mx-j4x2-2h74
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:06:57Z/
url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74
5
reference_url https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.3
reference_id next-auth%40v4.3.3
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:06:57Z/
url https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.3
fixed_packages
0
url pkg:npm/next-auth@3.29.3
purl pkg:npm/next-auth@3.29.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-496f-xt1n-vyg4
1
vulnerability VCID-79cm-nfc6-gfa5
2
vulnerability VCID-9jgr-hm39-77fg
3
vulnerability VCID-bf1j-nb43-pudk
4
vulnerability VCID-sbmn-xem7-17aw
5
vulnerability VCID-smgj-837q-pfe2
6
vulnerability VCID-yrne-9dx3-rkev
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@3.29.3
1
url pkg:npm/next-auth@4.3.3
purl pkg:npm/next-auth@4.3.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-496f-xt1n-vyg4
1
vulnerability VCID-79cm-nfc6-gfa5
2
vulnerability VCID-9jgr-hm39-77fg
3
vulnerability VCID-bf1j-nb43-pudk
4
vulnerability VCID-sbmn-xem7-17aw
5
vulnerability VCID-smgj-837q-pfe2
6
vulnerability VCID-yrne-9dx3-rkev
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.3.3
aliases CVE-2022-29214, GHSA-q2mx-j4x2-2h74
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jqpb-patf-zkf7
6
url VCID-sbmn-xem7-17aw
vulnerability_id VCID-sbmn-xem7-17aw
summary NextAuth.js is a complete open source authentication solution for Next.js applications. An information disclosure vulnerability in `next-auth` before `v4.10.2` and `v3.29.9` allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log (which is thrown during OAuth error handling) and use it to leverage further attacks on the system, like impersonating the client to ask for extensive permissions. This issue has been patched in `v4.10.2` and `v3.29.9` by moving the log for `provider` information to the debug level. In addition, we added a warning for having the `debug: true` option turned on in production. If for some reason you cannot upgrade, you can user the `logger` configuration option by sanitizing the logs.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-31186
reference_id
reference_type
scores
0
value 0.00056
scoring_system epss
scoring_elements 0.1792
published_at 2026-06-12T12:55:00Z
1
value 0.00056
scoring_system epss
scoring_elements 0.17912
published_at 2026-06-14T12:55:00Z
2
value 0.00056
scoring_system epss
scoring_elements 0.1776
published_at 2026-06-11T12:55:00Z
3
value 0.00056
scoring_system epss
scoring_elements 0.17937
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-31186
1
reference_url https://github.com/nextauthjs/next-auth
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-31186
reference_id CVE-2022-31186
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-31186
3
reference_url https://github.com/advisories/GHSA-p6mm-27gq-9v3p
reference_id GHSA-p6mm-27gq-9v3p
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p6mm-27gq-9v3p
4
reference_url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-p6mm-27gq-9v3p
reference_id GHSA-p6mm-27gq-9v3p
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:02:52Z/
url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-p6mm-27gq-9v3p
5
reference_url https://next-auth.js.org/configuration/options#logger
reference_id options#logger
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:02:52Z/
url https://next-auth.js.org/configuration/options#logger
6
reference_url https://next-auth.js.org/getting-started/upgrade-v4
reference_id upgrade-v4
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:02:52Z/
url https://next-auth.js.org/getting-started/upgrade-v4
7
reference_url https://next-auth.js.org/warnings#debug_enabled
reference_id warnings#debug_enabled
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:02:52Z/
url https://next-auth.js.org/warnings#debug_enabled
fixed_packages
0
url pkg:npm/next-auth@3.29.9
purl pkg:npm/next-auth@3.29.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-496f-xt1n-vyg4
1
vulnerability VCID-79cm-nfc6-gfa5
2
vulnerability VCID-9jgr-hm39-77fg
3
vulnerability VCID-smgj-837q-pfe2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@3.29.9
1
url pkg:npm/next-auth@4.10.2
purl pkg:npm/next-auth@4.10.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-496f-xt1n-vyg4
1
vulnerability VCID-79cm-nfc6-gfa5
2
vulnerability VCID-9jgr-hm39-77fg
3
vulnerability VCID-smgj-837q-pfe2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.10.2
aliases CVE-2022-31186, GHSA-p6mm-27gq-9v3p
risk_score 1.5
exploitability 0.5
weighted_severity 3.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sbmn-xem7-17aw
7
url VCID-smgj-837q-pfe2
vulnerability_id VCID-smgj-837q-pfe2
summary NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to **log in as the victim**, bypassing the CSRF protection. This is due to a partial failure during a compromised OAuth session where a session code is erroneously generated. This issue has been addressed in version 4.20.1. Users are advised to upgrade. Users unable to upgrade may using Advanced Initialization, manually check the callback request for state, pkce, and nonce against the provider configuration to prevent this issue. See the linked GHSA for details.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-27490
reference_id
reference_type
scores
0
value 0.00244
scoring_system epss
scoring_elements 0.48106
published_at 2026-06-14T12:55:00Z
1
value 0.00244
scoring_system epss
scoring_elements 0.48122
published_at 2026-06-13T12:55:00Z
2
value 0.00244
scoring_system epss
scoring_elements 0.47966
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-27490
1
reference_url https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not
2
reference_url https://github.com/nextauthjs/next-auth
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth
3
reference_url https://github.com/nextauthjs/next-auth/compare/next-auth@4.20.0...next-auth@4.20.1#diff-cf9257195d0cb6a835ae4ff1fc73fe2cac0bab847efb0832c1f551209a972b47R55
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth/compare/next-auth@4.20.0...next-auth@4.20.1#diff-cf9257195d0cb6a835ae4ff1fc73fe2cac0bab847efb0832c1f551209a972b47R55
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-27490
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-27490
5
reference_url https://security.netapp.com/advisory/ntap-20230420-0006
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20230420-0006
6
reference_url https://github.com/advisories/GHSA-7r7x-4c4q-c4qf
reference_id GHSA-7r7x-4c4q-c4qf
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7r7x-4c4q-c4qf
7
reference_url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qf
reference_id GHSA-7r7x-4c4q-c4qf
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/
url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qf
8
reference_url https://next-auth.js.org/configuration/initialization#advanced-initialization
reference_id initialization#advanced-initialization
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/
url https://next-auth.js.org/configuration/initialization#advanced-initialization
9
reference_url https://security.netapp.com/advisory/ntap-20230420-0006/
reference_id ntap-20230420-0006
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/
url https://security.netapp.com/advisory/ntap-20230420-0006/
10
reference_url https://next-auth.js.org/configuration/providers/oauth
reference_id oauth
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/
url https://next-auth.js.org/configuration/providers/oauth
11
reference_url https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/
reference_id pkce-vs-nonce-equivalent-or-not
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/
url https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/
12
reference_url https://authjs.dev/reference/core/providers#checks
reference_id providers#checks
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/
url https://authjs.dev/reference/core/providers#checks
13
reference_url https://www.rfc-editor.org/rfc/rfc6749#section-10.12
reference_id rfc6749#section-10.12
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/
url https://www.rfc-editor.org/rfc/rfc6749#section-10.12
fixed_packages
0
url pkg:npm/next-auth@4.20.1
purl pkg:npm/next-auth@4.20.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-79cm-nfc6-gfa5
1
vulnerability VCID-9jgr-hm39-77fg
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.20.1
aliases CVE-2023-27490, GHSA-7r7x-4c4q-c4qf
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-smgj-837q-pfe2
8
url VCID-yrne-9dx3-rkev
vulnerability_id VCID-yrne-9dx3-rkev
summary NextAuth.js is a complete open source authentication solution for Next.js applications. An attacker can pass a compromised input to the e-mail [signin endpoint](https://next-auth.js.org/getting-started/rest-api#post-apiauthsigninprovider) that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: `balazs@email.com, <a href="http://attacker.com">Before signing in, claim your money!</a>`. This was previously sent to `balazs@email.com`, and the content of the email containing a link to the attacker's site was rendered in the HTML. This has been remedied in the following releases, by simply not rendering that e-mail in the HTML, since it should be obvious to the receiver what e-mail they used: next-auth v3 users before version 3.29.8 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. next-auth v4 users before version 4.9.0 are impacted. If for some reason you cannot upgrade, the workaround requires you to sanitize the `email` parameter that is passed to `sendVerificationRequest` and rendered in the HTML. If you haven't created a custom `sendVerificationRequest`, you only need to upgrade. Otherwise, make sure to either exclude `email` from the HTML body or efficiently sanitize it.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-31127
reference_id
reference_type
scores
0
value 0.00591
scoring_system epss
scoring_elements 0.6979
published_at 2026-06-14T12:55:00Z
1
value 0.00591
scoring_system epss
scoring_elements 0.69688
published_at 2026-06-11T12:55:00Z
2
value 0.00591
scoring_system epss
scoring_elements 0.69778
published_at 2026-06-12T12:55:00Z
3
value 0.00591
scoring_system epss
scoring_elements 0.69792
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-31127
1
reference_url https://github.com/nextauthjs/next-auth
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth
2
reference_url https://github.com/nextauthjs/next-auth/commit/ae834f1e08a4a9915665eecb9479c74c6b039c9c
reference_id ae834f1e08a4a9915665eecb9479c74c6b039c9c
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:38Z/
url https://github.com/nextauthjs/next-auth/commit/ae834f1e08a4a9915665eecb9479c74c6b039c9c
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-31127
reference_id CVE-2022-31127
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-31127
4
reference_url https://next-auth.js.org/providers/email#customizing-emails
reference_id email#customizing-emails
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:38Z/
url https://next-auth.js.org/providers/email#customizing-emails
5
reference_url https://github.com/advisories/GHSA-pgjx-7f9g-9463
reference_id GHSA-pgjx-7f9g-9463
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pgjx-7f9g-9463
6
reference_url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pgjx-7f9g-9463
reference_id GHSA-pgjx-7f9g-9463
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:38Z/
url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pgjx-7f9g-9463
7
reference_url https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.9.0
reference_id next-auth%40v4.9.0
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:38Z/
url https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.9.0
8
reference_url https://next-auth.js.org/getting-started/upgrade-v4
reference_id upgrade-v4
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:38Z/
url https://next-auth.js.org/getting-started/upgrade-v4
fixed_packages
0
url pkg:npm/next-auth@3.29.8
purl pkg:npm/next-auth@3.29.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-496f-xt1n-vyg4
1
vulnerability VCID-79cm-nfc6-gfa5
2
vulnerability VCID-9jgr-hm39-77fg
3
vulnerability VCID-sbmn-xem7-17aw
4
vulnerability VCID-smgj-837q-pfe2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@3.29.8
1
url pkg:npm/next-auth@4.9.0
purl pkg:npm/next-auth@4.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-496f-xt1n-vyg4
1
vulnerability VCID-79cm-nfc6-gfa5
2
vulnerability VCID-9jgr-hm39-77fg
3
vulnerability VCID-sbmn-xem7-17aw
4
vulnerability VCID-smgj-837q-pfe2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.9.0
aliases CVE-2022-31127, GHSA-pgjx-7f9g-9463
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yrne-9dx3-rkev
9
url VCID-yyr1-tqng-xfe4
vulnerability_id VCID-yyr1-tqng-xfe4
summary `@next-auth/upstash-redis-adapter` is the Upstash Redis adapter for NextAuth.js, which provides authentication for Next.js. Applications that use `next-auth` Email Provider and `@next-auth/upstash-redis-adapter` before v3.0.2 are affected by this vulnerability. The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim's email could easily sign in as the victim, given the attacker also knows about the verification token's expired duration. The vulnerability is patched in v3.0.2. A workaround is available. Using Advanced Initialization, developers can check the requests and compare the query's token and identifier before proceeding.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-39263
reference_id
reference_type
scores
0
value 0.00271
scoring_system epss
scoring_elements 0.50968
published_at 2026-06-14T12:55:00Z
1
value 0.00271
scoring_system epss
scoring_elements 0.50965
published_at 2026-06-12T12:55:00Z
2
value 0.00271
scoring_system epss
scoring_elements 0.50832
published_at 2026-06-11T12:55:00Z
3
value 0.00271
scoring_system epss
scoring_elements 0.50981
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-39263
1
reference_url https://github.com/nextauthjs/next-auth
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-39263
reference_id CVE-2022-39263
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-39263
3
reference_url https://github.com/nextauthjs/next-auth/commit/d16e04848ee703cf797724194d4ad2907fe125a9
reference_id d16e04848ee703cf797724194d4ad2907fe125a9
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:44Z/
url https://github.com/nextauthjs/next-auth/commit/d16e04848ee703cf797724194d4ad2907fe125a9
4
reference_url https://github.com/advisories/GHSA-4rxr-27mm-mxq9
reference_id GHSA-4rxr-27mm-mxq9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4rxr-27mm-mxq9
5
reference_url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-4rxr-27mm-mxq9
reference_id GHSA-4rxr-27mm-mxq9
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:44Z/
url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-4rxr-27mm-mxq9
fixed_packages
0
url pkg:npm/next-auth@3.1.0
purl pkg:npm/next-auth@3.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-496f-xt1n-vyg4
1
vulnerability VCID-79cm-nfc6-gfa5
2
vulnerability VCID-7pmm-9rk3-gka2
3
vulnerability VCID-9jgr-hm39-77fg
4
vulnerability VCID-b5ve-atnr-m7cm
5
vulnerability VCID-bf1j-nb43-pudk
6
vulnerability VCID-jqpb-patf-zkf7
7
vulnerability VCID-sbmn-xem7-17aw
8
vulnerability VCID-smgj-837q-pfe2
9
vulnerability VCID-yrne-9dx3-rkev
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@3.1.0
aliases CVE-2022-39263, GHSA-4rxr-27mm-mxq9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yyr1-tqng-xfe4
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/next-auth@2.0.0-beta.26