CVE-2022-24858
next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a redirect callback, make sure that you match the incoming url origin against the baseUrl.
| Software | From | Fixed in |
|---|---|---|
| nextauth.js / next-auth | 4.0.0 | 4.3.2 |
| nextauth.js / next-auth | 3.0.0 | 3.29.2 |
next-auth
|
- | 3.29.2 |
|
next-auth
|
4.0.0 | 4.3.2 |
- https://github.com/nextauthjs/next-auth/commit/6e15bdcb2d93c1ad5ee3889f702607637e79db50
- https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.2
- https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw
- https://next-auth.js.org/configuration/callbacks#redirect-callback
- https://next-auth.js.org/getting-started/upgrade-v4
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime