Impact
We found that this vulnerability is present when the developer is implementing an OAuth 1 provider (by extension, it means Twitter, which is the only built-in provider using OAuth 1), but upgrading is still recommended.
next-auth
v3 users before version 3.29.3 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)
next-auth
v4 users before version 4.3.3 are impacted.
Patches
We've released patches for this vulnerability in:
You can do:
or
yarn add next-auth@latest
or
pnpm add next-auth@latest
(This will update to the latest v4 version, but you can change latest
to 3
if you want to stay on v3.)
Workarounds
If you are not able to upgrade for any reason, you can add the following configuration to your callbacks
option:
// async redirect(url, baseUrl) { // v3
async redirect({ url, baseUrl }) { // v4
// Allows relative callback URLs
if (url.startsWith("/")) return `${baseUrl}${url}`
// Allows callback URLs on the same origin
else if (new URL(url).origin === baseUrl) return url
return baseUrl
}
References
This vulnerability was discovered right after GHSA-f9wg-5f46-cjmw was published and is very similar in nature.
Read more about the callbacks.redirect
option in the documentation: https://next-auth.js.org/configuration/callbacks#redirect-callback
For more information
If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability
Timeline
The issue was reported 2022 April 20th, a response was sent out to the reporter 8 minutes after, and a patch was produced within a few days.
References
Impact
We found that this vulnerability is present when the developer is implementing an OAuth 1 provider (by extension, it means Twitter, which is the only built-in provider using OAuth 1), but upgrading is still recommended.
next-auth
v3 users before version 3.29.3 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)next-auth
v4 users before version 4.3.3 are impacted.Patches
We've released patches for this vulnerability in:
3.29.3
4.3.3
You can do:
or
or
(This will update to the latest v4 version, but you can change
latest
to3
if you want to stay on v3.)Workarounds
If you are not able to upgrade for any reason, you can add the following configuration to your
callbacks
option:References
This vulnerability was discovered right after GHSA-f9wg-5f46-cjmw was published and is very similar in nature.
Read more about the
callbacks.redirect
option in the documentation: https://next-auth.js.org/configuration/callbacks#redirect-callbackFor more information
If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability
Timeline
The issue was reported 2022 April 20th, a response was sent out to the reporter 8 minutes after, and a patch was produced within a few days.
References