next-auth 4.23.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the next-auth package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Improper Neutralization next-auth is an Authentication for Next.js Affected versions of this package are vulnerable to Improper Neutralization in the email validation component. An attacker can intercept sensitive authentication emails by submitting a specially crafted email address that manipulates the parsing logic, causing messages to be sent to an unintended mailbox. How to fix Improper Neutralization? Upgrade `next-auth` to version 4.24.12, 5.0.0-beta.30 or higher.	<4.24.12>=5.0.0-beta.0 <5.0.0-beta.30
M Improper Authorization next-auth is an Authentication for Next.js Affected versions of this package are vulnerable to Improper Authorization by obtaining an issued JWT from an interrupted OAuth sign-in flow. An attacker can manually override the `next-auth.session-token` cookie value with this non-related JWT, allowing the attacker to create an empty/mock user and peek at logged-in user states. Notes: Only applications prior to version 4.24.5 that rely on the default Middleware authorization are affected. This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. Regardless of the vulnerability, the existence of a NextAuth.js session state can provide simple authentication, but not authorization in your applications. How to fix Improper Authorization? Upgrade `next-auth` to version 4.24.5 or higher.	<4.24.5

Vulnerability

Vulnerable Version

Improper Neutralization

next-auth is an Authentication for Next.js

Affected versions of this package are vulnerable to Improper Neutralization in the email validation component. An attacker can intercept sensitive authentication emails by submitting a specially crafted email address that manipulates the parsing logic, causing messages to be sent to an unintended mailbox.

How to fix Improper Neutralization?

Upgrade next-auth to version 4.24.12, 5.0.0-beta.30 or higher.

<4.24.12>=5.0.0-beta.0 <5.0.0-beta.30

Improper Authorization

next-auth is an Authentication for Next.js

Affected versions of this package are vulnerable to Improper Authorization by obtaining an issued JWT from an interrupted OAuth sign-in flow. An attacker can manually override the next-auth.session-token cookie value with this non-related JWT, allowing the attacker to create an empty/mock user and peek at logged-in user states.

Notes:

Only applications prior to version 4.24.5 that rely on the default Middleware authorization are affected.
This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means.
Regardless of the vulnerability, the existence of a NextAuth.js session state can provide simple authentication, but not authorization in your applications.

How to fix Improper Authorization?

Upgrade next-auth to version 4.24.5 or higher.

<4.24.5

next-auth@4.23.1 vulnerabilities

Authentication for Next.js

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically