{"url":"http://public2.vulnerablecode.io/api/packages/61420?format=json","purl":"pkg:npm/next-auth@4.3.2","type":"npm","namespace":"","name":"next-auth","version":"4.3.2","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"4.20.1","latest_non_vulnerable_version":"5.0.0-beta.30","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42935?format=json","vulnerability_id":"VCID-8r8h-7m4p-f3hz","summary":"NextAuth.js default redirect callback vulnerable to open redirects\nnext-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.","references":[{"reference_url":"https://github.com/nextauthjs/next-auth/commit/6e15bdcb2d93c1ad5ee3889f702607637e79db50","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nextauthjs/next-auth/commit/6e15bdcb2d93c1ad5ee3889f702607637e79db50"},{"reference_url":"https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.2"},{"reference_url":"https://next-auth.js.org/configuration/callbacks#redirect-callback","reference_id":"","reference_type":"","scores":[],"url":"https://next-auth.js.org/configuration/callbacks#redirect-callback"},{"reference_url":"https://next-auth.js.org/getting-started/upgrade-v4","reference_id":"","reference_type":"","scores":[],"url":"https://next-auth.js.org/getting-started/upgrade-v4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24858","reference_id":"CVE-2022-24858","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24858"},{"reference_url":"https://github.com/advisories/GHSA-f9wg-5f46-cjmw","reference_id":"GHSA-f9wg-5f46-cjmw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f9wg-5f46-cjmw"},{"reference_url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw","reference_id":"GHSA-f9wg-5f46-cjmw","reference_type":"","scores":[],"url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61419?format=json","purl":"pkg:npm/next-auth@3.29.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@3.29.2"},{"url":"http://public2.vulnerablecode.io/api/packages/61420?format=json","purl":"pkg:npm/next-auth@4.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.3.2"}],"aliases":["CVE-2022-24858","GHSA-f9wg-5f46-cjmw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8r8h-7m4p-f3hz"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.3.2"}