Improper authentication in next-auth - CVE-2023-48309
Published: November 20, 2023 / Updated: November 21, 2023
Vulnerability identifier: #VU83317
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-48309
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
next-auth
next-auth
Software vendor:
NextAuth.js
NextAuth.js
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error when processing authentication requests. A remote attacker can create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce), and bypass authentication process.
Note, this vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.).
Remediation
Install updates from vendor's website.