CVE-2022-31093 — HIGH (7.5)

Q: How severe is CVE-2022-31093?

CVE-2022-31093 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-31093?

Check the references section above for vendor advisories and patch information. Affected products include: Nextauth.Js Next-Auth.

Vulnerability Description

NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Nextauth.Js	Next-Auth	>= 3.0.0, < 3.29.5

Related Weaknesses (CWE)

CWE-754

References

https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908PatchThird Party Advisory
https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88PatchThird Party Advisory
https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432MitigationThird Party Advisory
https://next-auth.js.org/configuration/initialization#advanced-initializationVendor Advisory
https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908PatchThird Party Advisory
https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88PatchThird Party Advisory
https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432MitigationThird Party Advisory
https://next-auth.js.org/configuration/initialization#advanced-initializationVendor Advisory

FAQ

What is CVE-2022-31093?

CVE-2022-31093 is a vulnerability with a CVSS score of 7.5 (HIGH). NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` qu...

How severe is CVE-2022-31093?

CVE-2022-31093 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-31093?

Check the references section above for vendor advisories and patch information. Affected products include: Nextauth.Js Next-Auth.