Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/next-auth@4.24.5
Typenpm
Namespace
Namenext-auth
Version4.24.5
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version4.24.12
Latest_non_vulnerable_version5.0.0-beta.30
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-2815-seu2-93fk
vulnerability_id VCID-2815-seu2-93fk
summary 
Possible user mocking that bypasses basic authentication
NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-48309
reference_id
reference_type
scores
0
value 0.00295
scoring_system epss
scoring_elements 0.53027
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-48309
1
reference_url https://authjs.dev/guides/basics/role-based-access-control
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/
url https://authjs.dev/guides/basics/role-based-access-control
2
reference_url https://github.com/nextauthjs/next-auth
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nextauthjs/next-auth
3
reference_url https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/
url https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10
4
reference_url https://next-auth.js.org/configuration/nextjs#advanced-usage
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/
url https://next-auth.js.org/configuration/nextjs#advanced-usage
5
reference_url https://next-auth.js.org/configuration/nextjs#middlewar
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/
url https://next-auth.js.org/configuration/nextjs#middlewar
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-48309
reference_id CVE-2023-48309
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-48309
7
reference_url https://github.com/advisories/GHSA-v64w-49xw-qq89
reference_id GHSA-v64w-49xw-qq89
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v64w-49xw-qq89
8
reference_url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89
reference_id GHSA-v64w-49xw-qq89
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:40:21Z/
url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89
fixed_packages
0
url pkg:npm/next-auth@4.24.5
purl pkg:npm/next-auth@4.24.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.24.5
aliases CVE-2023-48309, GHSA-v64w-49xw-qq89
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2815-seu2-93fk
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.24.5