CVE-2022-24858

low-risk

Published 2022-04-19

next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.

Do I need to act?

0.32% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Next-Auth

Affected Vendors

Nextauth.Js

References (6)

Mitigation https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw

Vendor Advisory https://next-auth.js.org/configuration/callbacks#redirect-callback

Vendor Advisory https://next-auth.js.org/getting-started/upgrade-v4

Mitigation https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw

Vendor Advisory https://next-auth.js.org/configuration/callbacks#redirect-callback

Vendor Advisory https://next-auth.js.org/getting-started/upgrade-v4

/ 100

low-risk

Severity 19/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal