A possible attack vector to consider is when the user input a `callbackUrl` value which can be coerced into a valid `URL` object. We have confirmed that malicious JavaScript code in a Google Sheets script can cause the NextAuth.js parser to fail with a Malformed URL error and when the `callbackUrl` value is passed to NextAuth.js, the URL instantiation fails due to a malformed URL, causing the API route handler to time out. Because of this, if you are using a file upload field in NextAuth.js, you should avoid using `callbackUrl` as a value. A malicious user could potentially use this issue to execute a code, which could be anything, with their authorization_code. An attacker could potentially use this issue to hijack your account.

CVE-2023-31090

An attacker could potentially use this issue to hijack your account.

What you can do to mitigate this risk

We have confirmed that malicious JavaScript code in a Google Sheets script can cause the NextAuth.js parser to fail with a Malformed URL error and when the `callbackUrl` value is passed to NextAuth.js, the URL instantiation fails due to a malformed URL, causing the API route handler to time out. Because of this, if you are using a file upload field in NextAuth.js, you should avoid using `callbackUrl` as a value. If you have any other fields that are vulnerable to injection attacks, we recommend disabling them for now until we find an appropriate solution. You should also be aware that some apps may not properly sanitize user input before passing it into your application. We recommend monitoring your app logs for any unexpected errors and handling them appropriately.

Timeline

Published on: 06/27/2022 22:15:00 UTC
Last modified on: 07/07/2022 19:45:00 UTC

References