CVE-2022-39263

Name of the Vulnerable Software and Affected Versions @next-auth/upstash-redis-adapter versions prior to 3.0.2

Description The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checked for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim's email could easily sign in as the victim, given the attacker also knows about the verification token's expired duration.

Recommendations For versions prior to 3.0.2, upgrade to v3.0.2 by running one of the following commands: npm i @next-auth/upstash-redis-adapter@latest yarn add @next-auth/upstash-redis-adapter@latest pnpm add @next-auth/upstash-redis-adapter@latest As a temporary workaround, developers can use Advanced Initialization to check the requests and compare the query's token and identifier before proceeding. This can be achieved by implementing a custom authentication function that hashes the token and compares it with the stored token.