Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/618255?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/618255?format=api", "purl": "pkg:npm/next-auth@4.0.0-next.10", "type": "npm", "namespace": "", "name": "next-auth", "version": "4.0.0-next.10", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.24.12", "latest_non_vulnerable_version": "5.0.0-beta.30", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/146356?format=api", "vulnerability_id": "VCID-79cm-nfc6-gfa5", "summary": "NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48309", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00295", "scoring_system": "epss", "scoring_elements": "0.53293", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00295", "scoring_system": "epss", "scoring_elements": "0.53166", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48309" }, { "reference_url": "https://github.com/nextauthjs/next-auth", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nextauthjs/next-auth" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48309", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48309" }, { "reference_url": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10", "reference_id": "d237059b6d0cb868c041ba18b698e0cee20a2f10", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/" } ], "url": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10" }, { "reference_url": "https://github.com/advisories/GHSA-v64w-49xw-qq89", "reference_id": "GHSA-v64w-49xw-qq89", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v64w-49xw-qq89" }, { "reference_url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89", "reference_id": "GHSA-v64w-49xw-qq89", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/" } ], "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89" }, { "reference_url": "https://next-auth.js.org/configuration/nextjs#advanced-usage", "reference_id": "nextjs#advanced-usage", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/" } ], "url": "https://next-auth.js.org/configuration/nextjs#advanced-usage" }, { "reference_url": "https://next-auth.js.org/configuration/nextjs#middlewar", "reference_id": "nextjs#middlewar", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/" } ], "url": "https://next-auth.js.org/configuration/nextjs#middlewar" }, { "reference_url": "https://authjs.dev/guides/basics/role-based-access-control", "reference_id": "role-based-access-control", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/" } ], "url": "https://authjs.dev/guides/basics/role-based-access-control" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381243?format=api", "purl": "pkg:npm/next-auth@4.24.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9jgr-hm39-77fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.24.5" } ], "aliases": [ "CVE-2023-48309", "GHSA-v64w-49xw-qq89" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-79cm-nfc6-gfa5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212330?format=api", "vulnerability_id": "VCID-9jgr-hm39-77fg", "summary": "NextAuthjs Email misdelivery Vulnerability", "references": [ { "reference_url": "https://github.com/nextauthjs/next-auth", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nextauthjs/next-auth" }, { "reference_url": "https://github.com/nextauthjs/next-auth/commit/82efcf81f218aae43683f8dd2f7c260ef69b3ece", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nextauthjs/next-auth/commit/82efcf81f218aae43683f8dd2f7c260ef69b3ece" }, { "reference_url": "https://github.com/nextauthjs/next-auth/commit/8f3b2c7af0fe08973a12f616517c3ec85a5cd172", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nextauthjs/next-auth/commit/8f3b2c7af0fe08973a12f616517c3ec85a5cd172" }, { "reference_url": "https://github.com/advisories/GHSA-5jpx-9hw9-2fx4", "reference_id": "GHSA-5jpx-9hw9-2fx4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5jpx-9hw9-2fx4" }, { "reference_url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-5jpx-9hw9-2fx4", "reference_id": "GHSA-5jpx-9hw9-2fx4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-5jpx-9hw9-2fx4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34863?format=api", "purl": "pkg:npm/next-auth@4.24.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.24.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/34862?format=api", "purl": "pkg:npm/next-auth@5.0.0-beta.30", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@5.0.0-beta.30" } ], "aliases": [ "GHSA-5jpx-9hw9-2fx4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9jgr-hm39-77fg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/145578?format=api", "vulnerability_id": "VCID-smgj-837q-pfe2", "summary": "NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to **log in as the victim**, bypassing the CSRF protection. This is due to a partial failure during a compromised OAuth session where a session code is erroneously generated. This issue has been addressed in version 4.20.1. Users are advised to upgrade. Users unable to upgrade may using Advanced Initialization, manually check the callback request for state, pkce, and nonce against the provider configuration to prevent this issue. See the linked GHSA for details.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-27490", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00244", "scoring_system": "epss", "scoring_elements": "0.47966", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00244", "scoring_system": "epss", "scoring_elements": "0.48106", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-27490" }, { "reference_url": "https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not" }, { "reference_url": "https://github.com/nextauthjs/next-auth", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nextauthjs/next-auth" }, { "reference_url": "https://github.com/nextauthjs/next-auth/compare/next-auth@4.20.0...next-auth@4.20.1#diff-cf9257195d0cb6a835ae4ff1fc73fe2cac0bab847efb0832c1f551209a972b47R55", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nextauthjs/next-auth/compare/next-auth@4.20.0...next-auth@4.20.1#diff-cf9257195d0cb6a835ae4ff1fc73fe2cac0bab847efb0832c1f551209a972b47R55" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27490", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27490" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20230420-0006", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20230420-0006" }, { "reference_url": "https://github.com/advisories/GHSA-7r7x-4c4q-c4qf", "reference_id": "GHSA-7r7x-4c4q-c4qf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7r7x-4c4q-c4qf" }, { "reference_url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qf", "reference_id": "GHSA-7r7x-4c4q-c4qf", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/" } ], "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qf" }, { "reference_url": "https://next-auth.js.org/configuration/initialization#advanced-initialization", "reference_id": "initialization#advanced-initialization", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/" } ], "url": "https://next-auth.js.org/configuration/initialization#advanced-initialization" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20230420-0006/", "reference_id": "ntap-20230420-0006", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20230420-0006/" }, { "reference_url": "https://next-auth.js.org/configuration/providers/oauth", "reference_id": "oauth", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/" } ], "url": "https://next-auth.js.org/configuration/providers/oauth" }, { "reference_url": "https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/", "reference_id": "pkce-vs-nonce-equivalent-or-not", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/" } ], "url": "https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/" }, { "reference_url": "https://authjs.dev/reference/core/providers#checks", "reference_id": "providers#checks", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/" } ], "url": "https://authjs.dev/reference/core/providers#checks" }, { "reference_url": "https://www.rfc-editor.org/rfc/rfc6749#section-10.12", "reference_id": "rfc6749#section-10.12", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:38Z/" } ], "url": "https://www.rfc-editor.org/rfc/rfc6749#section-10.12" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381016?format=api", "purl": "pkg:npm/next-auth@4.20.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-79cm-nfc6-gfa5" }, { "vulnerability": "VCID-9jgr-hm39-77fg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.20.1" } ], "aliases": [ "CVE-2023-27490", "GHSA-7r7x-4c4q-c4qf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-smgj-837q-pfe2" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.0.0-next.10" }