Rustyguts

**Name of the Vulnerable Software and Affected Versions** next-auth versions 3.0.0 through 3.29.1 next-auth versions 4.0.0 through 4.3.1 **Description** The issue affects next-auth users, with versions 3 before 3.29.2 and version 4 before 4.3.2 being impacted. To resolve the issue, upgrading to version 3.29.2 or 4.3.2 will patch the vulnerability. If an upgrade is not possible, adding a configuration to the `callbacks` option can mitigate the issue. For users with an existing `redirect` callback, it is essential to match the incoming `url` origin against the `baseUrl` to prevent exploitation. **Recommendations** For next-auth versions 3.0.0 through 3.29.1, upgrade to version 3.29.2 to patch the vulnerability. For next-auth versions 4.0.0 through 4.3.1, upgrade to version 4.3.2 to patch the vulnerability. As a temporary workaround, consider adding a configuration to the `callbacks` option to validate the `url` origin against the `baseUrl`. If you already have a `redirect` callback, modify it to match the incoming `url` origin against the `baseUrl`, using a function similar to: ```js async redirect({ url, baseUrl }) { if (url.startsWith("/")) return new URL(url, baseUrl).toString() else if (new URL(url).origin === baseUrl) return url return baseUrl } ```