CVE-2022-24858
MEDIUMnext-auth < 3.29.2 and 4.0.0-4.3.1 - Authentication Bypass via Redirect Callback
Title source: llmDescription
next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.
References (3)
Core 3
Core References
Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw
Vendor Advisory x_refsource_misc
https://next-auth.js.org/configuration/callbacks#redirect-callback
Vendor Advisory x_refsource_misc
https://next-auth.js.org/getting-started/upgrade-v4
Scores
CVSS v3
6.1
EPSS
0.0032
EPSS Percentile
55.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-290
CWE-601
Status
published
Products (2)
nextauth.js/next-auth
3.0.0 - 3.29.2
npm/next-auth
0 - 3.29.2npm
Published
Apr 19, 2022
Tracked Since
Feb 18, 2026