Improper authentication in NextAuth.js
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2023-48309 |
| CWE-ID | CWE-287 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
next-auth Web applications / JS libraries |
| Vendor | NextAuth.js |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Improper authentication
EUVDB-ID: #VU83317
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-48309
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error when processing authentication requests. A remote attacker can create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce), and bypass authentication process.
Note, this vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.).
Install updates from vendor's website.
Vulnerable software versionsnext-auth: 1.0.0 - 4.24.4
External linkshttp://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
