{"url":"http://public2.vulnerablecode.io/api/packages/525780?format=json","purl":"pkg:npm/next-auth@3.15.0-beta.3","type":"npm","namespace":"","name":"next-auth","version":"3.15.0-beta.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.24.12","latest_non_vulnerable_version":"5.0.0-beta.30","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/197876?format=json","vulnerability_id":"VCID-12pe-3jun-xqef","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31127","reference_id":"","reference_type":"","scores":[{"value":"0.00591","scoring_system":"epss","scoring_elements":"0.69533","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31127"},{"reference_url":"https://github.com/nextauthjs/next-auth","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nextauthjs/next-auth"},{"reference_url":"https://github.com/nextauthjs/next-auth/commit/ae834f1e08a4a9915665eecb9479c74c6b039c9c","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:38Z/"}],"url":"https://github.com/nextauthjs/next-auth/commit/ae834f1e08a4a9915665eecb9479c74c6b039c9c"},{"reference_url":"https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.9.0","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:38Z/"}],"url":"https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.9.0"},{"reference_url":"https://next-auth.js.org/getting-started/upgrade-v4","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:38Z/"}],"url":"https://next-auth.js.org/getting-started/upgrade-v4"},{"reference_url":"https://next-auth.js.org/providers/email#customizing-emails","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:38Z/"}],"url":"https://next-auth.js.org/providers/email#customizing-emails"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31127","reference_id":"CVE-2022-31127","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31127"},{"reference_url":"https://github.com/advisories/GHSA-pgjx-7f9g-9463","reference_id":"GHSA-pgjx-7f9g-9463","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pgjx-7f9g-9463"},{"reference_url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pgjx-7f9g-9463","reference_id":"GHSA-pgjx-7f9g-9463","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:38Z/"}],"url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pgjx-7f9g-9463"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78474?format=json","purl":"pkg:npm/next-auth@3.29.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2815-seu2-93fk"},{"vulnerability":"VCID-9768-mxkd-hfct"},{"vulnerability":"VCID-d2s4-tdr8-u7cs"},{"vulnerability":"VCID-h123-vuvr-uke6"},{"vulnerability":"VCID-yfps-qmu1-m3bm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@3.29.8"},{"url":"http://public2.vulnerablecode.io/api/packages/78475?format=json","purl":"pkg:npm/next-auth@4.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2815-seu2-93fk"},{"vulnerability":"VCID-9768-mxkd-hfct"},{"vulnerability":"VCID-d2s4-tdr8-u7cs"},{"vulnerability":"VCID-h123-vuvr-uke6"},{"vulnerability":"VCID-yfps-qmu1-m3bm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.9.0"}],"aliases":["CVE-2022-31127","GHSA-pgjx-7f9g-9463"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-12pe-3jun-xqef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18866?format=json","vulnerability_id":"VCID-2815-seu2-93fk","summary":"Possible user mocking that bypasses basic authentication\nNextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48309","reference_id":"","reference_type":"","scores":[{"value":"0.00295","scoring_system":"epss","scoring_elements":"0.53027","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48309"},{"reference_url":"https://authjs.dev/guides/basics/role-based-access-control","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/"}],"url":"https://authjs.dev/guides/basics/role-based-access-control"},{"reference_url":"https://github.com/nextauthjs/next-auth","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nextauthjs/next-auth"},{"reference_url":"https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/"}],"url":"https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10"},{"reference_url":"https://next-auth.js.org/configuration/nextjs#advanced-usage","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/"}],"url":"https://next-auth.js.org/configuration/nextjs#advanced-usage"},{"reference_url":"https://next-auth.js.org/configuration/nextjs#middlewar","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/"}],"url":"https://next-auth.js.org/configuration/nextjs#middlewar"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48309","reference_id":"CVE-2023-48309","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48309"},{"reference_url":"https://github.com/advisories/GHSA-v64w-49xw-qq89","reference_id":"GHSA-v64w-49xw-qq89","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v64w-49xw-qq89"},{"reference_url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89","reference_id":"GHSA-v64w-49xw-qq89","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/"}],"url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66624?format=json","purl":"pkg:npm/next-auth@4.24.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9768-mxkd-hfct"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.24.5"}],"aliases":["CVE-2023-48309","GHSA-v64w-49xw-qq89"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2815-seu2-93fk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/20613?format=json","vulnerability_id":"VCID-9768-mxkd-hfct","summary":"NextAuthjs Email misdelivery Vulnerability\nNextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in `nodemailer`'s address parser used by the project (fixed in `nodemailer` **v7.0.7**). A crafted input such as:\n\n```\n\"e@attacker.com\"@victim.com\n```\n\nis parsed incorrectly and results in the message being delivered to `e@attacker.com` (attacker) instead of `\"<e@attacker.com>@victim.com\"` (the intended recipient at `victim.com`) in violation of RFC 5321/5322 semantics. This allows an attacker to receive login/verification links or other sensitive emails intended for the victim.\n\n<h2>Affected NextAuthjs Version</h2>\n\n≤ Version | Afftected\n-- | --\n4.24.11 | Yes\n5.0.0-beta.29 | Yes","references":[{"reference_url":"https://github.com/nextauthjs/next-auth","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nextauthjs/next-auth"},{"reference_url":"https://github.com/nextauthjs/next-auth/commit/82efcf81f218aae43683f8dd2f7c260ef69b3ece","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nextauthjs/next-auth/commit/82efcf81f218aae43683f8dd2f7c260ef69b3ece"},{"reference_url":"https://github.com/nextauthjs/next-auth/commit/8f3b2c7af0fe08973a12f616517c3ec85a5cd172","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nextauthjs/next-auth/commit/8f3b2c7af0fe08973a12f616517c3ec85a5cd172"},{"reference_url":"https://github.com/advisories/GHSA-5jpx-9hw9-2fx4","reference_id":"GHSA-5jpx-9hw9-2fx4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5jpx-9hw9-2fx4"},{"reference_url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-5jpx-9hw9-2fx4","reference_id":"GHSA-5jpx-9hw9-2fx4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-5jpx-9hw9-2fx4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70000?format=json","purl":"pkg:npm/next-auth@4.24.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.24.12"},{"url":"http://public2.vulnerablecode.io/api/packages/70001?format=json","purl":"pkg:npm/next-auth@5.0.0-beta.30","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@5.0.0-beta.30"}],"aliases":["GHSA-5jpx-9hw9-2fx4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9768-mxkd-hfct"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15540?format=json","vulnerability_id":"VCID-ca3h-2e32-7ubu","summary":"NextAuth.js default redirect callback vulnerable to open redirects\nnext-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24858","reference_id":"","reference_type":"","scores":[{"value":"0.00318","scoring_system":"epss","scoring_elements":"0.55149","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24858"},{"reference_url":"https://github.com/nextauthjs/next-auth","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nextauthjs/next-auth"},{"reference_url":"https://github.com/nextauthjs/next-auth/commit/6e15bdcb2d93c1ad5ee3889f702607637e79db50","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nextauthjs/next-auth/commit/6e15bdcb2d93c1ad5ee3889f702607637e79db50"},{"reference_url":"https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.2"},{"reference_url":"https://next-auth.js.org/configuration/callbacks#redirect-callback","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:09Z/"}],"url":"https://next-auth.js.org/configuration/callbacks#redirect-callback"},{"reference_url":"https://next-auth.js.org/getting-started/upgrade-v4","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:09Z/"}],"url":"https://next-auth.js.org/getting-started/upgrade-v4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24858","reference_id":"CVE-2022-24858","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24858"},{"reference_url":"https://github.com/advisories/GHSA-f9wg-5f46-cjmw","reference_id":"GHSA-f9wg-5f46-cjmw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f9wg-5f46-cjmw"},{"reference_url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw","reference_id":"GHSA-f9wg-5f46-cjmw","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:09Z/"}],"url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60388?format=json","purl":"pkg:npm/next-auth@3.29.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@3.29.2"},{"url":"http://public2.vulnerablecode.io/api/packages/525848?format=json","purl":"pkg:npm/next-auth@4.0.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2815-seu2-93fk"},{"vulnerability":"VCID-9768-mxkd-hfct"},{"vulnerability":"VCID-d2s4-tdr8-u7cs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.0.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/60389?format=json","purl":"pkg:npm/next-auth@4.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12pe-3jun-xqef"},{"vulnerability":"VCID-2815-seu2-93fk"},{"vulnerability":"VCID-9768-mxkd-hfct"},{"vulnerability":"VCID-d2s4-tdr8-u7cs"},{"vulnerability":"VCID-h123-vuvr-uke6"},{"vulnerability":"VCID-mtg2-qyna-suad"},{"vulnerability":"VCID-yfps-qmu1-m3bm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.3.2"}],"aliases":["CVE-2022-24858","GHSA-f9wg-5f46-cjmw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ca3h-2e32-7ubu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/17064?format=json","vulnerability_id":"VCID-d2s4-tdr8-u7cs","summary":"Session Fixation\nNextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to **log in as the victim**, bypassing the CSRF protection. This is due to a partial failure during a compromised OAuth session where a session code is erroneously generated. This issue has been addressed in version 4.20.1. Users are advised to upgrade. Users unable to upgrade may using Advanced Initialization, manually check the callback request for state, pkce, and nonce against the provider configuration to prevent this issue. See the linked GHSA for details.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-27490","reference_id":"","reference_type":"","scores":[{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47856","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-27490"},{"reference_url":"https://authjs.dev/reference/core/providers#checks","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/"}],"url":"https://authjs.dev/reference/core/providers#checks"},{"reference_url":"https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not"},{"reference_url":"https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/"}],"url":"https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/"},{"reference_url":"https://github.com/nextauthjs/next-auth","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nextauthjs/next-auth"},{"reference_url":"https://github.com/nextauthjs/next-auth/compare/next-auth@4.20.0...next-auth@4.20.1#diff-cf9257195d0cb6a835ae4ff1fc73fe2cac0bab847efb0832c1f551209a972b47R55","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nextauthjs/next-auth/compare/next-auth@4.20.0...next-auth@4.20.1#diff-cf9257195d0cb6a835ae4ff1fc73fe2cac0bab847efb0832c1f551209a972b47R55"},{"reference_url":"https://next-auth.js.org/configuration/initialization#advanced-initialization","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/"}],"url":"https://next-auth.js.org/configuration/initialization#advanced-initialization"},{"reference_url":"https://next-auth.js.org/configuration/providers/oauth","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/"}],"url":"https://next-auth.js.org/configuration/providers/oauth"},{"reference_url":"https://security.netapp.com/advisory/ntap-20230420-0006","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20230420-0006"},{"reference_url":"https://www.rfc-editor.org/rfc/rfc6749#section-10.12","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/"}],"url":"https://www.rfc-editor.org/rfc/rfc6749#section-10.12"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27490","reference_id":"CVE-2023-27490","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27490"},{"reference_url":"https://github.com/advisories/GHSA-7r7x-4c4q-c4qf","reference_id":"GHSA-7r7x-4c4q-c4qf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7r7x-4c4q-c4qf"},{"reference_url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qf","reference_id":"GHSA-7r7x-4c4q-c4qf","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/"}],"url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qf"},{"reference_url":"https://security.netapp.com/advisory/ntap-20230420-0006/","reference_id":"ntap-20230420-0006","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/"}],"url":"https://security.netapp.com/advisory/ntap-20230420-0006/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63101?format=json","purl":"pkg:npm/next-auth@4.20.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2815-seu2-93fk"},{"vulnerability":"VCID-9768-mxkd-hfct"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.20.1"}],"aliases":["CVE-2023-27490","GHSA-7r7x-4c4q-c4qf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d2s4-tdr8-u7cs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/200949?format=json","vulnerability_id":"VCID-h123-vuvr-uke6","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-35924","reference_id":"","reference_type":"","scores":[{"value":"0.0042","scoring_system":"epss","scoring_elements":"0.62245","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-35924"},{"reference_url":"https://en.wikipedia.org/wiki/Email_address#Local-part","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/"}],"url":"https://en.wikipedia.org/wiki/Email_address#Local-part"},{"reference_url":"https://github.com/nextauthjs/next-auth","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nextauthjs/next-auth"},{"reference_url":"https://github.com/nextauthjs/next-auth/commit/afb1fcdae3cc30445038ef588e491d139b916003","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/"}],"url":"https://github.com/nextauthjs/next-auth/commit/afb1fcdae3cc30445038ef588e491d139b916003"},{"reference_url":"https://next-auth.js.org/configuration/callbacks#sign-in-callback","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/"}],"url":"https://next-auth.js.org/configuration/callbacks#sign-in-callback"},{"reference_url":"https://next-auth.js.org/configuration/initialization#advanced-initialization","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/"}],"url":"https://next-auth.js.org/configuration/initialization#advanced-initialization"},{"reference_url":"https://next-auth.js.org/providers/email","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/"}],"url":"https://next-auth.js.org/providers/email"},{"reference_url":"https://next-auth.js.org/providers/email#normalizing-the-e-mail-address","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/"}],"url":"https://next-auth.js.org/providers/email#normalizing-the-e-mail-address"},{"reference_url":"https://next-auth.js.org/providers/email#normalizing-the-email-address","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://next-auth.js.org/providers/email#normalizing-the-email-address"},{"reference_url":"https://nodemailer.com/message/addresses","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/"}],"url":"https://nodemailer.com/message/addresses"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-35924","reference_id":"CVE-2022-35924","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-35924"},{"reference_url":"https://github.com/advisories/GHSA-xv97-c62v-4587","reference_id":"GHSA-xv97-c62v-4587","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xv97-c62v-4587"},{"reference_url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-xv97-c62v-4587","reference_id":"GHSA-xv97-c62v-4587","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/"}],"url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-xv97-c62v-4587"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78723?format=json","purl":"pkg:npm/next-auth@3.29.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2815-seu2-93fk"},{"vulnerability":"VCID-9768-mxkd-hfct"},{"vulnerability":"VCID-d2s4-tdr8-u7cs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@3.29.10"},{"url":"http://public2.vulnerablecode.io/api/packages/78724?format=json","purl":"pkg:npm/next-auth@4.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2815-seu2-93fk"},{"vulnerability":"VCID-9768-mxkd-hfct"},{"vulnerability":"VCID-d2s4-tdr8-u7cs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.10.3"}],"aliases":["CVE-2022-35924","GHSA-xv97-c62v-4587"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h123-vuvr-uke6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/195672?format=json","vulnerability_id":"VCID-mtg2-qyna-suad","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29214","reference_id":"","reference_type":"","scores":[{"value":"0.00239","scoring_system":"epss","scoring_elements":"0.47094","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29214"},{"reference_url":"https://github.com/nextauthjs/next-auth","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nextauthjs/next-auth"},{"reference_url":"https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:06:57Z/"}],"url":"https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29214","reference_id":"CVE-2022-29214","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29214"},{"reference_url":"https://github.com/advisories/GHSA-q2mx-j4x2-2h74","reference_id":"GHSA-q2mx-j4x2-2h74","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q2mx-j4x2-2h74"},{"reference_url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74","reference_id":"GHSA-q2mx-j4x2-2h74","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:06:57Z/"}],"url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77927?format=json","purl":"pkg:npm/next-auth@3.29.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12pe-3jun-xqef"},{"vulnerability":"VCID-2815-seu2-93fk"},{"vulnerability":"VCID-9768-mxkd-hfct"},{"vulnerability":"VCID-d2s4-tdr8-u7cs"},{"vulnerability":"VCID-h123-vuvr-uke6"},{"vulnerability":"VCID-yfps-qmu1-m3bm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@3.29.3"},{"url":"http://public2.vulnerablecode.io/api/packages/77928?format=json","purl":"pkg:npm/next-auth@4.3.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12pe-3jun-xqef"},{"vulnerability":"VCID-2815-seu2-93fk"},{"vulnerability":"VCID-9768-mxkd-hfct"},{"vulnerability":"VCID-d2s4-tdr8-u7cs"},{"vulnerability":"VCID-h123-vuvr-uke6"},{"vulnerability":"VCID-yfps-qmu1-m3bm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.3.3"}],"aliases":["CVE-2022-29214","GHSA-q2mx-j4x2-2h74"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mtg2-qyna-suad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/197928?format=json","vulnerability_id":"VCID-yfps-qmu1-m3bm","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31186","reference_id":"","reference_type":"","scores":[{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17706","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31186"},{"reference_url":"https://github.com/nextauthjs/next-auth","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nextauthjs/next-auth"},{"reference_url":"https://next-auth.js.org/configuration/options#logger","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:02:52Z/"}],"url":"https://next-auth.js.org/configuration/options#logger"},{"reference_url":"https://next-auth.js.org/getting-started/upgrade-v4","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:02:52Z/"}],"url":"https://next-auth.js.org/getting-started/upgrade-v4"},{"reference_url":"https://next-auth.js.org/warnings#debug_enabled","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:02:52Z/"}],"url":"https://next-auth.js.org/warnings#debug_enabled"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31186","reference_id":"CVE-2022-31186","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31186"},{"reference_url":"https://github.com/advisories/GHSA-p6mm-27gq-9v3p","reference_id":"GHSA-p6mm-27gq-9v3p","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p6mm-27gq-9v3p"},{"reference_url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-p6mm-27gq-9v3p","reference_id":"GHSA-p6mm-27gq-9v3p","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:02:52Z/"}],"url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-p6mm-27gq-9v3p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78754?format=json","purl":"pkg:npm/next-auth@3.29.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2815-seu2-93fk"},{"vulnerability":"VCID-9768-mxkd-hfct"},{"vulnerability":"VCID-d2s4-tdr8-u7cs"},{"vulnerability":"VCID-h123-vuvr-uke6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@3.29.9"},{"url":"http://public2.vulnerablecode.io/api/packages/78755?format=json","purl":"pkg:npm/next-auth@4.10.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2815-seu2-93fk"},{"vulnerability":"VCID-9768-mxkd-hfct"},{"vulnerability":"VCID-d2s4-tdr8-u7cs"},{"vulnerability":"VCID-h123-vuvr-uke6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.10.2"}],"aliases":["CVE-2022-31186","GHSA-p6mm-27gq-9v3p"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yfps-qmu1-m3bm"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@3.15.0-beta.3"}