next-auth
npm9 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting next-authpage 1 of 1
- CVE-2021-21310MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.3.02021-02-11
NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. In next-auth before version 3.3.0 there is a token verification vulnerability. Implementations using the Prisma database adapter in conjunction wit…
- CVE-2022-24858MEDIUMCVSS 6.1EG 6.1✓ Fixed in 4.3.22022-04-19
next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add…
- CVE-2022-29214MEDIUMCVSS 6.1EG 6.1✓ Fixed in 4.3.32022-05-21
NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29…
- CVE-2022-31093HIGHCVSS 7.5EG 7.5✓ Fixed in 4.5.02022-06-27
NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is conv…
- CVE-2022-31127HIGHCVSS 7.1EG 7.1✓ Fixed in 4.9.02022-07-06
NextAuth.js is a complete open source authentication solution for Next.js applications. An attacker can pass a compromised input to the e-mail [signin endpoint](https://next-auth.js.org/getting-started/rest-api#post-apiauthsigninprovider) …
- CVE-2022-31186LOWCVSS 3.3EG 3.3✓ Fixed in 4.10.22022-08-01
NextAuth.js is a complete open source authentication solution for Next.js applications. An information disclosure vulnerability in `next-auth` before `v4.10.2` and `v3.29.9` allows an attacker with log access privilege to obtain excessive …
- CVE-2022-35924CRITICALCVSS 9.1EG 9.1✓ Fixed in 3.29.102022-08-02
NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request …
- CVE-2023-27490HIGHCVSS 8.1EG 8.1✓ Fixed in 4.20.12023-03-09
NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can r…
- CVE-2023-48309MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.24.52023-11-20
NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting ho…
Check whether next-auth is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for next-auth CVEs against the assets you own.
Start Free Scan →