Stensrud

**Name of the Vulnerable Software and Affected Versions** NextAuth.js versions prior to 3.29.5 NextAuth.js versions prior to 4.5.0 **Description** An attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the API route handler timing out and logging in to fail. **Recommendations** For NextAuth.js versions prior to 3.29.5, update to version 3.29.5 or later. For NextAuth.js versions prior to 4.5.0, update to version 4.5.0 or later. As a temporary workaround, consider using Advanced Initialization to validate the `callbackUrl` query parameter before passing it to the NextAuth.js API. For example, you can add a validation function to check if the `callbackUrl` is a valid HTTP URL before calling the NextAuth.js API.