Improper authentication in next-auth - CVE-2023-48309

 

Improper authentication in next-auth - CVE-2023-48309

Published: November 20, 2023 / Updated: November 21, 2023


Vulnerability identifier: #VU83317
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-48309
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: NextAuth.js
Affected software:
next-auth

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error when processing authentication requests. A remote attacker can create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce), and bypass authentication process.

Note, this vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.).




How to mitigate CVE-2023-48309

Install updates from vendor's website.

Sources