Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-JS-NEXTAUTH-2968127
- published 3 Aug 2022
- disclosed 3 Aug 2022
- credit Unknown
How to fix?
next-auth to version 3.29.10, 4.10.3 or higher.
next-auth is an Authentication for Next.js
Affected versions of this package are vulnerable to Improper Authorization in
EmailProvider. This is if an attacker can forge a request that sends a comma-separated list of emails to the sign-in endpoint -
NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user which means that basic authorization like
email.endsWith("@victim.com") in the
signIn callback would fail to communicate a threat to the developer.