Findarkside

**Name of the Vulnerable Software and Affected Versions** NextAuth.js versions prior to v4.20.1 **Description** The issue allows a bad actor to intercept and tamper with the authorization URL, enabling them to log in as the victim and bypass CSRF protection. This occurs due to a partial failure during a compromised OAuth session where a session code is erroneously generated. The estimated number of potentially affected devices is not specified. Technical details about exploitation include: - API Endpoints: `/api/auth/callback/:providerId` - Vulnerable Parameters or Variables: `state`, `pkce`, and `nonce` - Function Names: Not explicitly mentioned **Recommendations** For versions prior to v4.20.1, upgrade to version v4.20.1 or later by running `npm i next-auth@latest`, `yarn add next-auth@latest`, or `pnpm add next-auth@latest`. As a temporary workaround for users unable to upgrade, consider using Advanced Initialization to manually check the callback request for `state`, `pkce`, and `nonce` against the provider configuration, and abort the sign-in process if there is a mismatch.