#VU83351 Incorrect authorization in next-auth
Vulnerability identifier: #VU83351
Vulnerability risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-863
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
next-auth
Web applications /
JS libraries
Vendor: NextAuth.js
Description
The vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to the way NextAuth.js send verification requests using the EmailProvider. If an attacker can forge a request that sends a comma-separated list of emails, the verification token is sent to both email addresses (e.g. attacker@attacker.com,victim@victim.com). In such case the login name will consist of both email addresses. however the email notification will be sent to both emails.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
next-auth: 4.0.0 - 4.10.2, 3.0.0 - 3.29.9
External links
http://github.com/nextauthjs/next-auth/security/advisories/GHSA-xv97-c62v-4587
http://github.com/nextauthjs/next-auth/commit/afb1fcdae3cc30445038ef588e491d139b916003
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
