CVE-2022-31186

LOW

NextAuth.js <4.10.2, <3.29.9 - Info Disclosure

Title source: llm

Description

NextAuth.js is a complete open source authentication solution for Next.js applications. An information disclosure vulnerability in `next-auth` before `v4.10.2` and `v3.29.9` allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log (which is thrown during OAuth error handling) and use it to leverage further attacks on the system, like impersonating the client to ask for extensive permissions. This issue has been patched in `v4.10.2` and `v3.29.9` by moving the log for `provider` information to the debug level. In addition, we added a warning for having the `debug: true` option turned on in production. If for some reason you cannot upgrade, you can user the `logger` configuration option by sanitizing the logs.

References (4)

Core 4

Core References

Vendor Advisory x_refsource_misc

https://next-auth.js.org/getting-started/upgrade-v4

Third Party Advisory x_refsource_confirm

https://github.com/nextauthjs/next-auth/security/advisories/GHSA-p6mm-27gq-9v3p

Vendor Advisory x_refsource_misc

https://next-auth.js.org/configuration/options#logger

Vendor Advisory x_refsource_misc

https://next-auth.js.org/warnings#debug_enabled

Scores

CVSS v3 3.3

EPSS 0.0006

EPSS Percentile 17.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-532

Status published

Products (2)

next-auth/nextauth.js < 3.29.9

npm/next-auth 0 - 3.29.9npm

Published Aug 01, 2022

Tracked Since Feb 18, 2026