SB2023030953 - CSRF in NextAuth.js

Description

This security bulletin contains information about 1 security vulnerability.

1) Cross-site request forgery (CVE-ID: CVE-2023-27490)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin when using OAuth provider. A remote attacker can trick the victim to visit a specially crafted web page and tamper with authentication requests, which can lead to web application compromise.

Remediation

Install update from vendor's website.

References

• https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qf
• https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/
• https://www.rfc-editor.org/rfc/rfc6749#section-10.12
• https://next-auth.js.org/configuration/initialization#advanced-initialization
• https://authjs.dev/reference/core/providers#checks
• https://next-auth.js.org/configuration/providers/oauth
• https://security.netapp.com/advisory/ntap-20230420-0006/