Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-24858

Good to know:

icon

Date: April 19, 2022

next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a "redirect" callback, make sure that you match the incoming "url" origin against the "baseUrl".

Language: TYPE_SCRIPT

Severity Score

Related Resources (8)

https://github.com/nextauthjs/next-auth
https://nvd.nist.gov/vuln/detail/CVE-2022-24858
https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw
https://next-auth.js.org/getting-started/upgrade-v4
https://next-auth.js.org/configuration/callbacks#redirect-callback
https://github.com/nextauthjs/next-auth/commit/6e15bdcb2d93c1ad5ee3889f702607637e79db50
https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.2
https://www.mend.io/vulnerability-database/CVE-2022-24858

Severity Score

Weakness Type (CWE)

URL Redirection to Untrusted Site ('Open Redirect')

CWE-601

Authentication Bypass by Spoofing

CWE-290

Top Fix

icon

Upgrade Version

Upgrade to version next-auth - 4.3.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us