Impact
An attacker can send a request to an app using NextAuth.js with an invalid callbackUrl
query parameter, which internally we convert to a URL
object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to our API route handler timing out and logging in to fail. This has been remedied in the following releases:
next-auth v3 users before version 3.29.5 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)
next-auth v4 users before version 4.5.0 are impacted.
Patches
We've released patches for this vulnerability in:
You can do:
or
yarn add next-auth@latest
or
pnpm add next-auth@latest
(This will update to the latest v4 version, but you can change latest
to 3
if you want to stay on v3. This is not recommended.)
Workarounds
If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Here is an example:
Before:
// pages/api/auth/[...nextauth].js
import NextAuth from "next-auth"
export default NextAuth(/* your config */)
After:
// pages/api/auth/[...nextauth].js
import NextAuth from "next-auth"
function isValidHttpUrl(url) {
try {
return /^https?:/.test(url).protocol
} catch {
return false;
}
}
export default async function handler(req, res) {
if (
req.query.callbackUrl &&
!isValidHttpUrl(req.query.callbackUrl)
) {
return res.status(500).send('');
}
return await NextAuth(req, res, /* your config */)
}
References
This vulnerability was discovered not long after GHSA-q2mx-j4x2-2h74 was published and is very similar in nature.
Related documentation:
A test case has been added so this kind of issue will be checked before publishing. See: e498483
For more information
If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability
Timeline
The issue was reported 2022 June 10th, a response was sent out to the reporter in less than 2 hours, and a patch was published within 3 hours.
Impact
An attacker can send a request to an app using NextAuth.js with an invalid
callbackUrl
query parameter, which internally we convert to aURL
object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to our API route handler timing out and logging in to fail. This has been remedied in the following releases:next-auth v3 users before version 3.29.5 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)
next-auth v4 users before version 4.5.0 are impacted.
Patches
We've released patches for this vulnerability in:
3.29.5
4.5.0
You can do:
or
or
(This will update to the latest v4 version, but you can change
latest
to3
if you want to stay on v3. This is not recommended.)Workarounds
If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Here is an example:
Before:
After:
References
This vulnerability was discovered not long after GHSA-q2mx-j4x2-2h74 was published and is very similar in nature.
Related documentation:
A test case has been added so this kind of issue will be checked before publishing. See: e498483
For more information
If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability
Timeline
The issue was reported 2022 June 10th, a response was sent out to the reporter in less than 2 hours, and a patch was published within 3 hours.