Описание
next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a redirect callback, make sure that you match the incoming url origin against the baseUrl.
Ссылки
- MitigationThird Party Advisory
- Vendor Advisory
- Vendor Advisory
- MitigationThird Party Advisory
- Vendor Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 3.0.0 (включая) до 3.29.2 (исключая)Версия от 4.0.0 (включая) до 4.3.2 (исключая)
Одно из
cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*
cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 54%
0.00318
Низкий
6.1 Medium
CVSS3
6.1 Medium
CVSS3
5.8 Medium
CVSS2
Дефекты
CWE-290
CWE-601
Связанные уязвимости
CVSS3: 6.1
github
почти 4 года назад
NextAuth.js default redirect callback vulnerable to open redirects
EPSS
Процентиль: 54%
0.00318
Низкий
6.1 Medium
CVSS3
6.1 Medium
CVSS3
5.8 Medium
CVSS2
Дефекты
CWE-290
CWE-601