CVE-2022-24858

Name of the Vulnerable Software and Affected Versions next-auth versions 3.0.0 through 3.29.1 next-auth versions 4.0.0 through 4.3.1

Description The issue affects next-auth users, with versions 3 before 3.29.2 and version 4 before 4.3.2 being impacted. To resolve the issue, upgrading to version 3.29.2 or 4.3.2 will patch the vulnerability. If an upgrade is not possible, adding a configuration to the callbacks option can mitigate the issue. For users with an existing redirect callback, it is essential to match the incoming url origin against the baseUrl to prevent exploitation.

Recommendations For next-auth versions 3.0.0 through 3.29.1, upgrade to version 3.29.2 to patch the vulnerability. For next-auth versions 4.0.0 through 4.3.1, upgrade to version 4.3.2 to patch the vulnerability. As a temporary workaround, consider adding a configuration to the callbacks option to validate the url origin against the baseUrl. If you already have a redirect callback, modify it to match the incoming url origin against the baseUrl, using a function similar to:

async redirect({ url, baseUrl }) {
  if (url.startsWith("/")) return new URL(url, baseUrl).toString()
  else if (new URL(url).origin === baseUrl) return url
  return baseUrl
}