CVE-2022-31093

Name of the Vulnerable Software and Affected Versions NextAuth.js versions prior to 3.29.5 NextAuth.js versions prior to 4.5.0

Description An attacker can send a request to an app using NextAuth.js with an invalid callbackUrl query parameter, which internally is converted to a URL object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the API route handler timing out and logging in to fail.

Recommendations For NextAuth.js versions prior to 3.29.5, update to version 3.29.5 or later. For NextAuth.js versions prior to 4.5.0, update to version 4.5.0 or later. As a temporary workaround, consider using Advanced Initialization to validate the callbackUrl query parameter before passing it to the NextAuth.js API. For example, you can add a validation function to check if the callbackUrl is a valid HTTP URL before calling the NextAuth.js API.