PT-2021-23952 · Auth0 · Auth0 Next.Js Sdk

Adamjmcgrath

Published

2021-12-16

Updated

2021-12-22

CVE-2021-43812

CVSS v3.1

6.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Auth0 Next.js SDK versions prior to 1.6.2

Description: The issue is related to the Auth0 Next.js SDK, a library for implementing user authentication in Next.js applications. Versions before 1.6.2 do not filter out certain returnTo parameter values from the login url, exposing the application to an open redirect vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Recommendations: Upgrade to version 1.6.2 or later, as this version contains the necessary fix for the issue. This update will not affect users.

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

CVE-2021-43812

GHSA-2MQV-4J3R-VJVP

Affected Products

Auth0 Next.Js Sdk

PT-2021-23952 · Auth0 · Auth0 Next.Js Sdk

CVE-2021-43812

Weakness Enumeration

Related Identifiers

Affected Products

References · 7