Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/next-auth@4.3.2

Type npm

Namespace

Name next-auth

Version 4.3.2

Qualifiers

Subpath

Is_vulnerable false

Next_non_vulnerable_version 4.20.1

Latest_non_vulnerable_version 5.0.0-beta.30

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-8r8h-7m4p-f3hz

vulnerability_id VCID-8r8h-7m4p-f3hz

summary

NextAuth.js default redirect callback vulnerable to open redirects
next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.

references

reference_url	https://github.com/nextauthjs/next-auth/commit/6e15bdcb2d93c1ad5ee3889f702607637e79db50
reference_id
reference_type
scores
url	https://github.com/nextauthjs/next-auth/commit/6e15bdcb2d93c1ad5ee3889f702607637e79db50

reference_url	https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.2
reference_id
reference_type
scores
url	https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.2

reference_url	https://next-auth.js.org/configuration/callbacks#redirect-callback
reference_id
reference_type
scores
url	https://next-auth.js.org/configuration/callbacks#redirect-callback

reference_url	https://next-auth.js.org/getting-started/upgrade-v4
reference_id
reference_type
scores
url	https://next-auth.js.org/getting-started/upgrade-v4

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2022-24858
reference_id	CVE-2022-24858
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2022-24858

reference_url	https://github.com/advisories/GHSA-f9wg-5f46-cjmw
reference_id	GHSA-f9wg-5f46-cjmw
reference_type
scores
url	https://github.com/advisories/GHSA-f9wg-5f46-cjmw

reference_url	https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw
reference_id	GHSA-f9wg-5f46-cjmw
reference_type
scores
url	https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw

fixed_packages

url	pkg:npm/next-auth@3.29.2
purl	pkg:npm/next-auth@3.29.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@3.29.2

url	pkg:npm/next-auth@4.3.2
purl	pkg:npm/next-auth@4.3.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.3.2

aliases CVE-2022-24858, GHSA-f9wg-5f46-cjmw

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8r8h-7m4p-f3hz

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.3.2

Package Instance