CVE-2022-31186

Name of the Vulnerable Software and Affected Versions next-auth versions prior to v4.10.2 next-auth versions prior to v3.29.9

Description An information disclosure issue allows an attacker with log access privilege to obtain excessive information, such as an identity provider's secret in the log, which is thrown during OAuth error handling. This can be used to leverage further attacks on the system, like impersonating the client to ask for extensive permissions. The issue has been patched by moving the log for provider information to the debug level, and a warning has been added for having the debug option turned on in production.

Recommendations For versions prior to v4.10.2 and v3.29.9, upgrade to v4.10.2 or v3.29.9 to patch the vulnerability. If upgrading is not possible, use the logger configuration option by sanitizing the logs to prevent information disclosure. Consider setting debug: process.env.NODE ENV !== "production" to only allow debugging while not in production. Set the logger option with proper sanitization of potentially sensitive user information if logging debug messages during production is necessary.