CVE-2022-31093

NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more.

NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more.

### Impact An attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally we convert to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to our **API route handler timing out and logging in to fail**. This has been remedied in the following releases: next-auth v3 users before version 3.29.5 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our [migration guide](https://next-auth.js.org/getting-started/upgrade-v4)) next-auth v4 users before version 4.5.0 are impacted. ### Patches We've released patches for this vulnerability in: - v3 - `3.29.5` - v4 - `4.5.0` You can do: ```sh npm i next-auth@latest ``` or ```sh yarn add next-auth@latest ``` or ```sh pnpm add next-auth@latest ``` (This will update to the latest v4 version, but you can change `latest` to `3` if you want to stay on v3. This is not recommended.) ### Workarounds If for some reason you cannot upgrade, the workaround requires you to rely on [Advanced Initialization](https://next-auth.js.org/configuration/initialization#advanced-initialization). Here is an example: **Before:** ```js // pages/api/auth/[...nextauth].js import NextAuth from "next-auth" export default NextAuth(/* your config */) ``` **After:** ```js // pages/api/auth/[...nextauth].js import NextAuth from "next-auth" function isValidHttpUrl(url) { try { return /^https?:/.test(url).protocol } catch { return false; } } export default async function handler(req, res) { if ( req.query.callbackUrl && !isValidHttpUrl(req.query.callbackUrl) ) { return res.status(500).send(''); } return await NextAuth(req, res, /* your config */) } ``` ### References This vulnerability was discovered not long after https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74 was published and is very similar in nature. Related documentation: - https://next-auth.js.org/getting-started/client#specifying-a-callbackurl - https://next-auth.js.org/configuration/callbacks#redirect-callback A test case has been added so this kind of issue will be checked before publishing. See: https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6 ### For more information If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability ### Timeline The issue was reported 2022 June 10th, a response was sent out to the reporter in less than 2 hours, and a patch was published within 3 hours.

### Impact An attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally we convert to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to our **API route handler timing out and logging in to fail**. This has been remedied in the following releases: next-auth v3 users before version 3.29.5 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our [migration guide](https://next-auth.js.org/getting-started/upgrade-v4)) next-auth v4 users before version 4.5.0 are impacted. ### Patches We've released patches for this vulnerability in: - v3 - `3.29.5` - v4 - `4.5.0` You can do: ```sh npm i next-auth@latest ``` or ```sh yarn add next-auth@latest ``` or ```sh pnpm add next-auth@latest ``` (This will update to the latest v4 version, but you can change `latest` to `3` if you want to stay on v3. This is not recommended.) ### Workarounds If for some reason you cannot upgrade, the workaround requires you to rely on [Advanced Initialization](https://next-auth.js.org/configuration/initialization#advanced-initialization). Here is an example: **Before:** ```js // pages/api/auth/[...nextauth].js import NextAuth from "next-auth" export default NextAuth(/* your config */) ``` **After:** ```js // pages/api/auth/[...nextauth].js import NextAuth from "next-auth" function isValidHttpUrl(url) { try { return /^https?:/.test(url).protocol } catch { return false; } } export default async function handler(req, res) { if ( req.query.callbackUrl && !isValidHttpUrl(req.query.callbackUrl) ) { return res.status(500).send(''); } return await NextAuth(req, res, /* your config */) } ``` ### References This vulnerability was discovered not long after https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74 was published and is very similar in nature. Related documentation: - https://next-auth.js.org/getting-started/client#specifying-a-callbackurl - https://next-auth.js.org/configuration/callbacks#redirect-callback A test case has been added so this kind of issue will be checked before publishing. See: https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6 ### For more information If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability ### Timeline The issue was reported 2022 June 10th, a response was sent out to the reporter in less than 2 hours, and a patch was published within 3 hours.

NextAuth.js es una solución completa de autenticación de código abierto para aplicaciones Next.js. En las versiones afectadas, un atacante puede enviar una petición a una aplicación usando NextAuth.js con un parámetro de consulta "callbackUrl" no válido, que internamente es convertido en un objeto "URL". La instanciación de la URL fallaba debido a que era pasada una URL malformada al constructor, lo que causaba que fuera lanzado un error no manejado que conllevaba a que el **manejador de rutas de la API se desconectara y el inicio de sesión fallara**. Esto ha sido remediado en versiones 3.29.5 y 4.5.0. Si por alguna razón no puedes actualizar, la mitigación requiere que te apoyes en la Inicialización Avanzada. Consulte la documentación para obtener más información