Magnunm

**Name of the Vulnerable Software and Affected Versions** next-auth versions prior to 4.24.5 **Description** A vulnerability in next-auth allows a bad actor to create an empty/mock user by obtaining a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow and manually overriding the `next-auth.session-token` cookie value. This mock user has no information associated with it, but can be used to simulate a logged-in user and potentially peek at logged-in user states, such as dashboard layouts. The vulnerability does not give access to other users' data or resources that require proper authorization. **Recommendations** For versions prior to 4.24.5, upgrade to version 4.24.5 or later by running `npm i next-auth@latest`, `yarn add next-auth@latest`, or `pnpm add next-auth@latest`. As a temporary workaround, developers can use a custom authorization callback for Middleware to manually perform basic authentication, such as checking the existence of a property like `email` on the `token` object.