{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42935?format=json","vulnerability_id":"VCID-8r8h-7m4p-f3hz","summary":"NextAuth.js default redirect callback vulnerable to open redirects\nnext-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.","aliases":[{"alias":"CVE-2022-24858"},{"alias":"GHSA-f9wg-5f46-cjmw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61419?format=json","purl":"pkg:npm/next-auth@3.29.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@3.29.2"},{"url":"http://public2.vulnerablecode.io/api/packages/61420?format=json","purl":"pkg:npm/next-auth@4.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.3.2"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61418?format=json","purl":"pkg:npm/next-auth@4.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8r8h-7m4p-f3hz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-auth@4.0.0"}],"references":[{"reference_url":"https://github.com/nextauthjs/next-auth/commit/6e15bdcb2d93c1ad5ee3889f702607637e79db50","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nextauthjs/next-auth/commit/6e15bdcb2d93c1ad5ee3889f702607637e79db50"},{"reference_url":"https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.2"},{"reference_url":"https://next-auth.js.org/configuration/callbacks#redirect-callback","reference_id":"","reference_type":"","scores":[],"url":"https://next-auth.js.org/configuration/callbacks#redirect-callback"},{"reference_url":"https://next-auth.js.org/getting-started/upgrade-v4","reference_id":"","reference_type":"","scores":[],"url":"https://next-auth.js.org/getting-started/upgrade-v4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24858","reference_id":"CVE-2022-24858","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24858"},{"reference_url":"https://github.com/advisories/GHSA-f9wg-5f46-cjmw","reference_id":"GHSA-f9wg-5f46-cjmw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f9wg-5f46-cjmw"},{"reference_url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw","reference_id":"GHSA-f9wg-5f46-cjmw","reference_type":"","scores":[],"url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":601,"name":"URL Redirection to Untrusted Site ('Open Redirect')","description":"A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8r8h-7m4p-f3hz"}