CVE-2022-31093 - Vulnerability Details - OpenCVE

NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Nextauth.js	Next-auth

Configuration 1 [-]

OR	cpe:2.3:a:nextauth.js:next-auth::::::node.js::*
	cpe:2.3:a:nextauth.js:next-auth::::::node.js::*

No data.

References

Link	Providers
https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85
https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6
https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432
https://next-auth.js.org/configuration/initialization#advanced-initialization

History

Wed, 23 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-06-27T21:30:20.000Z

Updated: 2025-04-23T18:06:46.737Z

Reserved: 2022-05-18T00:00:00.000Z

Link: CVE-2022-31093

Vulnrichment

Updated: 2024-08-03T07:11:39.437Z

NVD

Status : Modified

Published: 2022-06-27T22:15:09.047

Modified: 2024-11-21T07:03:52.837

Link: CVE-2022-31093

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "next-auth", "vendor": "nextauthjs", "versions": [{"status": "affected", "version": "< 3.29.5"}, {"status": "affected", "version": ">= 4.0.0, < 4.5.0"}]}], "descriptions": [{"lang": "en", "value": "NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-754", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-27T21:30:20.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6"}, {"tags": ["x_refsource_MISC"], "url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"}], "source": {"advisory": "GHSA-g5fm-jp9v-2432", "discovery": "UNKNOWN"}, "title": "Improper Handling of `callbackUrl` parameter in next-auth", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31093", "STATE": "PUBLIC", "TITLE": "Improper Handling of `callbackUrl` parameter in next-auth"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "next-auth", "version": {"version_data": [{"version_value": "< 3.29.5"}, {"version_value": ">= 4.0.0, < 4.5.0"}]}}]}, "vendor_name": "nextauthjs"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-754: Improper Check for Unusual or Exceptional Conditions"}]}]}, "references": {"reference_data": [{"name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432", "refsource": "CONFIRM", "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432"}, {"name": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85", "refsource": "MISC", "url": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85"}, {"name": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6", "refsource": "MISC", "url": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6"}, {"name": "https://next-auth.js.org/configuration/initialization#advanced-initialization", "refsource": "MISC", "url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"}]}, "source": {"advisory": "GHSA-g5fm-jp9v-2432", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:11:39.437Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T15:53:50.471341Z", "id": "CVE-2022-31093", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T18:06:46.737Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31093", "datePublished": "2022-06-27T21:30:20.000Z", "dateReserved": "2022-05-18T00:00:00.000Z", "dateUpdated": "2025-04-23T18:06:46.737Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:11:39.437Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-31093", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T15:53:50.471341Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T15:53:52.077Z"}}], "cna": {"title": "Improper Handling of `callbackUrl` parameter in next-auth", "source": {"advisory": "GHSA-g5fm-jp9v-2432", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nextauthjs", "product": "next-auth", "versions": [{"status": "affected", "version": "< 3.29.5"}, {"status": "affected", "version": ">= 4.0.0, < 4.5.0"}]}], "references": [{"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6", "tags": ["x_refsource_MISC"]}, {"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-754", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-06-27T21:30:20.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, "source": {"advisory": "GHSA-g5fm-jp9v-2432", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "< 3.29.5"}, {"version_value": ">= 4.0.0, < 4.5.0"}]}, "product_name": "next-auth"}]}, "vendor_name": "nextauthjs"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432", "name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432", "refsource": "CONFIRM"}, {"url": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85", "name": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85", "refsource": "MISC"}, {"url": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6", "name": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6", "refsource": "MISC"}, {"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization", "name": "https://next-auth.js.org/configuration/initialization#advanced-initialization", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-754: Improper Check for Unusual or Exceptional Conditions"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-31093", "STATE": "PUBLIC", "TITLE": "Improper Handling of `callbackUrl` parameter in next-auth", "ASSIGNER": "security-advisories@github.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-31093", "state": "PUBLISHED", "dateUpdated": "2025-04-23T18:06:46.737Z", "dateReserved": "2022-05-18T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-06-27T21:30:20.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "9433E695-3D8D-4D49-B349-C3C68F013FEE", "versionEndExcluding": "3.29.5", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "6D08EEB4-7815-4127-B2CA-BE4B4258D8CD", "versionEndExcluding": "4.5.0", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more."}, {"lang": "es", "value": "NextAuth.js es una soluci\u00f3n completa de autenticaci\u00f3n de c\u00f3digo abierto para aplicaciones Next.js. En las versiones afectadas, un atacante puede enviar una petici\u00f3n a una aplicaci\u00f3n usando NextAuth.js con un par\u00e1metro de consulta \"callbackUrl\" no v\u00e1lido, que internamente es convertido en un objeto \"URL\". La instanciaci\u00f3n de la URL fallaba debido a que era pasada una URL malformada al constructor, lo que causaba que fuera lanzado un error no manejado que conllevaba a que el **manejador de rutas de la API se desconectara y el inicio de sesi\u00f3n fallara**. Esto ha sido remediado en versiones 3.29.5 y 4.5.0. Si por alguna raz\u00f3n no puedes actualizar, la mitigaci\u00f3n requiere que te apoyes en la Inicializaci\u00f3n Avanzada. Consulte la documentaci\u00f3n para obtener m\u00e1s informaci\u00f3n"}], "id": "CVE-2022-31093", "lastModified": "2024-11-21T07:03:52.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-27T22:15:09.047", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-754"}], "source": "security-advisories@github.com", "type": "Secondary"}]}