CVE-2022-24858

Published: Apr 19, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

6.1

MEDIUM

Description

next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.

Vendor	Product	Versions
nextauthjs	next-auth	affected `< 3.29.2, < 4.3.2`

Weaknesses (CWE)

CWE-290

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw

x_refsource_CONFIRM

https://next-auth.js.org/configuration/callbacks#redirect-callback

x_refsource_MISC

https://next-auth.js.org/getting-started/upgrade-v4

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-24858

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References