CVE-2023-48309

Name of the Vulnerable Software and Affected Versions next-auth versions prior to 4.24.5

Description A vulnerability in next-auth allows a bad actor to create an empty/mock user by obtaining a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow and manually overriding the next-auth.session-token cookie value. This mock user has no information associated with it, but can be used to simulate a logged-in user and potentially peek at logged-in user states, such as dashboard layouts. The vulnerability does not give access to other users' data or resources that require proper authorization.

Recommendations For versions prior to 4.24.5, upgrade to version 4.24.5 or later by running npm i next-auth@latest, yarn add next-auth@latest, or pnpm add next-auth@latest. As a temporary workaround, developers can use a custom authorization callback for Middleware to manually perform basic authentication, such as checking the existence of a property like email on the token object.