GHSA-f9wg-5f46-cjmw

Опубликовано: 22 апр. 2022

Источник: github

Github: Прошло ревью

CVSS3: 6.1

Описание

NextAuth.js default redirect callback vulnerable to open redirects

next-auth v3 users before version 3.29.2 are impacted. (We recommend upgrading to v4 in most cases. See our migration guide).next-auth v4 users before version 4.3.2 are impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option:

// async redirect(url, baseUrl) { // v3 async redirect({ url, baseUrl }) { // v4 // Allows relative callback URLs if (url.startsWith("/")) return new URL(url, baseUrl).toString() // Allows callback URLs on the same origin else if (new URL(url).origin === baseUrl) return url return baseUrl }

If you already have a redirect callback, make sure that you match the incoming url origin against the baseUrl.

Ссылки

Пакеты

Наименование

next-auth

npm

Затронутые версииВерсия исправления

< 3.29.2

3.29.2

Наименование

next-auth

npm

Затронутые версииВерсия исправления

>= 4.0.0, < 4.3.2

4.3.2

EPSS

Процентиль: 54%

0.00318

Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2022-24858

Дефекты

CWE-290

CWE-601

Связанные уязвимости

CVE-2022-24858

CVSS3: 6.1

nvd

почти 4 года назад

next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.

EPSS

Процентиль: 54%

0.00318

Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2022-24858

Дефекты

CWE-290

CWE-601