CVE-2022-31093 NextAuth.js is a complete open source authentication solution for Next.js applications

CVE-2022-31093 NextAuth.js is a complete open source authentication solution for Next.js applications

A possible attack vector to consider is when the user input a `callbackUrl` value which can be coerced into a valid `URL` object. We have confirmed that malicious JavaScript code in a Google Sheets script can cause the NextAuth.js parser to fail with a Malformed URL error and when the `callbackUrl` value is passed to NextAuth.js, the URL instantiation fails due to a malformed URL, causing the API route handler to time out. Because of this, if you are using a file upload field in NextAuth.js, you should avoid using `callbackUrl` as a value. A malicious user could potentially use this issue to execute a code, which could be anything, with their authorization_code. An attacker could potentially use this issue to hijack your account.

CVE-2023-31090

An attacker could potentially use this issue to hijack your account.

What you can do to mitigate this risk

We have confirmed that malicious JavaScript code in a Google Sheets script can cause the NextAuth.js parser to fail with a Malformed URL error and when the `callbackUrl` value is passed to NextAuth.js, the URL instantiation fails due to a malformed URL, causing the API route handler to time out. Because of this, if you are using a file upload field in NextAuth.js, you should avoid using `callbackUrl` as a value. If you have any other fields that are vulnerable to injection attacks, we recommend disabling them for now until we find an appropriate solution. You should also be aware that some apps may not properly sanitize user input before passing it into your application. We recommend monitoring your app logs for any unexpected errors and handling them appropriately.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe