U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2023-48309

Change History

New CVE Received by NIST 11/20/2023 2:15:09 PM

Action Type Old Value New Value
Added CVSS V3.1

GitHub, Inc. AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Added CWE

GitHub, Inc. CWE-285
Added CWE

GitHub, Inc. CWE-863
Added Description

NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication.
Added Reference

GitHub, Inc. https://authjs.dev/guides/basics/role-based-access-control [No types assigned]
Added Reference

GitHub, Inc. https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10 [No types assigned]
Added Reference

GitHub, Inc. https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89 [No types assigned]
Added Reference

GitHub, Inc. https://next-auth.js.org/configuration/nextjs#advanced-usage [No types assigned]
Added Reference

GitHub, Inc. https://next-auth.js.org/configuration/nextjs#middlewar [No types assigned]