{"id":"GHSA-g5fm-jp9v-2432","summary":"Improper Handling of `callbackUrl` parameter in next-auth","details":"### Impact\n\nAn attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally we convert to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to our **API route handler timing out and logging in to fail**. This has been remedied in the following releases:\n\nnext-auth v3 users before version 3.29.5 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our [migration guide](https://next-auth.js.org/getting-started/upgrade-v4))\n\nnext-auth v4 users before version 4.5.0 are impacted.\n\n### Patches\n\nWe've released patches for this vulnerability in:\n  \n- v3 - `3.29.5`\n- v4 - `4.5.0`\n\nYou can do:\n\n```sh\nnpm i next-auth@latest\n```\n\nor\n\n```sh\nyarn add next-auth@latest\n```\n\nor\n\n```sh\npnpm add next-auth@latest\n```\n\n(This will update to the latest v4 version, but you can change  `latest` to `3` if you want to stay on v3. This is not recommended.)\n\n### Workarounds\n\nIf for some reason you cannot upgrade, the workaround requires you to rely on [Advanced Initialization](https://next-auth.js.org/configuration/initialization#advanced-initialization). Here is an example:\n\n**Before:**\n\n```js\n// pages/api/auth/[...nextauth].js\nimport NextAuth from \"next-auth\"\n\nexport default NextAuth(/* your config */)\n```\n\n**After:**\n\n```js\n// pages/api/auth/[...nextauth].js\nimport NextAuth from \"next-auth\"\n\nfunction isValidHttpUrl(url) {\n  try {\n    return /^https?:/.test(url).protocol\n  } catch {\n    return false;\n  }\n}\n\nexport default async function handler(req, res) {\n  if (\n    req.query.callbackUrl &&\n    !isValidHttpUrl(req.query.callbackUrl)\n  ) {\n   return res.status(500).send('');\n  }\n  \n  return await NextAuth(req, res, /* your config */)\n}\n```\n\n\n### References\n\nThis vulnerability was discovered not long after https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74 was published and is very similar in nature.\n\nRelated documentation:\n\n- https://next-auth.js.org/getting-started/client#specifying-a-callbackurl\n- https://next-auth.js.org/configuration/callbacks#redirect-callback\n\nA test case has been added so this kind of issue will be checked before publishing. See: https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6\n\n### For more information\n\nIf you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability\n\n### Timeline\n\nThe issue was reported 2022 June 10th, a response was sent out to the reporter in less than 2 hours, and a patch was published within 3 hours.","aliases":["CVE-2022-31093"],"modified":"2023-11-08T04:09:25.715079Z","published":"2022-06-21T20:06:36Z","database_specific":{"cwe_ids":["CWE-754"],"nvd_published_at":"2022-06-27T22:15:00Z","github_reviewed":true,"severity":"HIGH","github_reviewed_at":"2022-06-21T20:06:36Z"},"references":[{"type":"WEB","url":"https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31093"},{"type":"WEB","url":"https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85"},{"type":"WEB","url":"https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6"},{"type":"PACKAGE","url":"https://github.com/nextauthjs/next-auth"},{"type":"WEB","url":"https://next-auth.js.org/configuration/initialization#advanced-initialization"}],"affected":[{"package":{"name":"next-auth","ecosystem":"npm","purl":"pkg:npm/next-auth"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"3.29.5"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-g5fm-jp9v-2432/GHSA-g5fm-jp9v-2432.json"}},{"package":{"name":"next-auth","ecosystem":"npm","purl":"pkg:npm/next-auth"},"ranges":[{"type":"SEMVER","events":[{"introduced":"4.0.0"},{"fixed":"4.5.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-g5fm-jp9v-2432/GHSA-g5fm-jp9v-2432.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}