Vulnerability identifier: #VU83343
Vulnerability risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-290
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
next-auth
Web applications /
JS libraries
Vendor: NextAuth.js
Description
The vulnerability allows a remote attacker to bypass authentication.
The vulnerability exists due to improper authentication in Prisma database adapter, which checks verification token but not the identifier (the email address associated with the token). A remote attacker can bypass authentication process.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
next-auth: 3.0.0 - 3.29.10
External links
http://github.com/nextauthjs/next-auth/releases/tag/v3.3.0
http://github.com/nextauthjs/next-auth/security/advisories/GHSA-pg53-56cg-4m8q
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.