Home > Vulnerability Database > CVE-2022-39263

Mend.io Vulnerability Database

CVE-2022-39263

Good to know:

Date: September 28, 2022

`@next-auth/upstash-redis-adapter` is the Upstash Redis adapter for NextAuth.js, which provides authentication for Next.js. Applications that use `next-auth` Email Provider and `@next-auth/upstash-redis-adapter` before v3.0.2 are affected by this vulnerability. The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim's email could easily sign in as the victim, given the attacker also knows about the verification token's expired duration. The vulnerability is patched in v3.0.2. A workaround is available. Using Advanced Initialization, developers can check the requests and compare the query's token and identifier before proceeding.

Language: TYPE_SCRIPT

Severity Score

8.1

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-39263

Url: https://github.com/nextauthjs/next-auth/security/advisories/GHSA-4rxr-27mm-mxq9

Url: https://github.com/nextauthjs/next-auth/commit/d16e04848ee703cf797724194d4ad2907fe125a9

Url: https://www.mend.io/vulnerability-database/CVE-2022-39263

Severity Score

8.1

Weakness Type (CWE)

Authentication Issues

CWE-287

Top Fix

Upgrade Version

Upgrade to version @next-auth/upstash-redis-adapter - 3.0.2

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-39263

Good to know:

Date: September 28, 2022

Language: TYPE_SCRIPT

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?