Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-8r8h-7m4p-f3hz
Summary
NextAuth.js default redirect callback vulnerable to open redirects
next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.
Aliases
0
alias CVE-2022-24858
1
alias GHSA-f9wg-5f46-cjmw
Fixed_packages
0
url pkg:npm/next-auth@3.29.2
purl pkg:npm/next-auth@3.29.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@3.29.2
1
url pkg:npm/next-auth@4.3.2
purl pkg:npm/next-auth@4.3.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.3.2
Affected_packages
0
url pkg:npm/next-auth@4.0.0
purl pkg:npm/next-auth@4.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8r8h-7m4p-f3hz
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.0.0
References
0
reference_url https://github.com/nextauthjs/next-auth/commit/6e15bdcb2d93c1ad5ee3889f702607637e79db50
reference_id
reference_type
scores
url https://github.com/nextauthjs/next-auth/commit/6e15bdcb2d93c1ad5ee3889f702607637e79db50
1
reference_url https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.2
reference_id
reference_type
scores
url https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.2
2
reference_url https://next-auth.js.org/configuration/callbacks#redirect-callback
reference_id
reference_type
scores
url https://next-auth.js.org/configuration/callbacks#redirect-callback
3
reference_url https://next-auth.js.org/getting-started/upgrade-v4
reference_id
reference_type
scores
url https://next-auth.js.org/getting-started/upgrade-v4
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-24858
reference_id CVE-2022-24858
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2022-24858
5
reference_url https://github.com/advisories/GHSA-f9wg-5f46-cjmw
reference_id GHSA-f9wg-5f46-cjmw
reference_type
scores
url https://github.com/advisories/GHSA-f9wg-5f46-cjmw
6
reference_url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw
reference_id GHSA-f9wg-5f46-cjmw
reference_type
scores
url https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw
Weaknesses
0
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
1
cwe_id 601
name URL Redirection to Untrusted Site ('Open Redirect')
description A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
Severity_range_scorenull
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-8r8h-7m4p-f3hz