fix(deps): update dependency next-auth to v4.24.5 [security] #68
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.12.0
->4.24.5
GitHub Vulnerability Alerts
CVE-2023-27490
Impact
next-auth
applications using OAuth provider versions beforev4.20.1
are affected.A bad actor who can spy on the victim's network or able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to log in as the victim, bypassing the CSRF protection.
As an example, an attack can happen in the following scenario.
next-auth
site. For example https://next-auth-example.vercel.app/next-auth
sets thechecks
cookies according to how the OAuth provider is configured. In this case,state
andpkce
are set by default for the Google Provider.The attacker intercepts the returned authorization URL, strips away the OAuth check (nonce, state, pkce), and returns the URL without the check to the victim's browser. For example:
From
https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=client_id&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fnext-auth-example.vercel.app%2Fapi%2Fauth%2Fcallback%2Fgoogle&state=state&code_challenge=code_challenge&code_challenge_method=S256&service=lso&o2v=2&flowName=GeneralOAuthFlow
to
https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=client_id&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fnext-auth-example.vercel.app%2Fapi%2Fauth%2Fcallback%2Fgoogle&service=lso&o2v=2&flowName=GeneralOAuthFlow
.Notice the parameters
state
,code_challenge
andcode_verifier
are removed from the victim's address bar.The victim attempts to log in using their OAuth account.
The Authorization Server logs the victim in and calls back to the
next-auth
api/auth/callback/:providerId
endpoint.5.1. The attacker intercepts and logs this callback URL for later use.
5.2.
next-auth
checks the callback call from OAuth Authorization Server (doesn't have checks) and compares the checks with the cookies set (has checks) at step 2. This check will fail, resulting in the victim isn't logged in. However, at this step, the Authorization Server has already accepted the victim's request to log in and generated/sent acode
in the URL.The attacker now has an authorization URL with the
code
that the AS will exchange for validaccess_token
/id_token
and can log in as the victim automatically. They can open a new browser window and paste in the URL logged at step 5.1 and log in as the victim.Patches
We patched the vulnerability in
next-auth
v4.20.1
To upgrade, run one of the following:
Workarounds
Upgrading to
latest
is the recommended way to fix this issue. However, using Advanced Initialization, developers can manually check the callback request forstate
,pkce
, andnonce
against the provider configuration, and abort the sign-in process if there is a mismatch. Check out the source code for help.References
checks
provider configCVE-2023-48309
Impact
next-auth
applications prior to version 4.24.5 that rely on the default Middleware authorization are affected.A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce).
Manually overriding the
next-auth.session-token
cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string).This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.)
This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout).
Note: Regardless of the vulnerability, the existence of a NextAuth.js session state can provide simple authentication, but not authorization in your applications. For role-based access control, you can check out our guide.
Patches
We patched the vulnerability in
next-auth
v4.24.5
. To upgrade, run one of the following:Workarounds
Upgrading to
latest
is the recommended way to fix this issue. However, using a custom authorization callback for Middleware, developers can manually do a basic authentication:References
Release Notes
nextauthjs/next-auth (next-auth)
v4.24.5
Compare Source
Bugfixes
v4.24.4
Compare Source
Bugfixes
v4.24.3
Compare Source
Bugfixes
v4.24.2
Compare Source
Bugfixes
v4.24.1
Compare Source
Bugfixes
v4.24.0
Compare Source
Features
v4.23.2
Compare Source
Bugfixes
redirect: false
for route handler (#8775) (27b2519
)d813c00
)?
from signIn URL (#8466)Other
v4.23.1
Compare Source
Bugfixes
next-auth/adapters
(20c3fe3
)default
submodules export inpackage.json
(#8330)v4.23.0
Compare Source
Features
5a8aa2e
)Bugfixes
05ff6ae
)v4.22.5
Compare Source
Bugfixes
next-auth/adapter
&@auth/core/adapters
(nextauthjs/next-auth@3b0128c)Other
v4.22.4
Compare Source
Bugfixes
465644f
)getServerSession
(#8108)res.end()
in api handler (#8244)Other
getServerSession
unstable_getServerSession
v4.22.3
Compare Source
Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.22.3
v4.22.2
Compare Source
Bugfixes
nodemailer
/required types (#7950) (f48eb04
)bd37c55
)169a523
)Other
v4.22.1
Bugfixes
instanceof Request
check fails (#7303)Other
b481048
)a220245
)next-auth
fromv4
tomain
(#7265)v4.21.1
Compare Source
Bugfixes
session
callback type changes (#7136) (ec8a343
)v4.21.0
Compare Source
Features
Bugfixes
8aa1789
)86d031f
)id
inupdateUser
as always defined (319f2ce
)Other
v4.20.1
Compare Source
v4.20.0
Compare Source
v4.19.2
Compare Source
What's Changed
Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.19.2
v4.19.1
Compare Source
What's Changed
unstable
note. by @OrJDev in https://github.com/nextauthjs/next-auth/pull/6537unstable_getServerSession
by @joulev in https://github.com/nextauthjs/next-auth/pull/6560New Contributors
Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.19.1
v4.19.0
Compare Source
What's Changed
oauth_token_secret
in https://github.com/nextauthjs/next-auth/pull/6534unstable_
prefixgetServerSession
in https://github.com/nextauthjs/next-auth/pull/6535generateSessionToken
awaitable in https://github.com/nextauthjs/next-auth/pull/6536Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.19.0
v4.18.10
Compare Source
v4.18.9
Compare Source
v4.18.8
Compare Source
What's Changed
docusaurus.config.js
settings (v4
) https://github.com/nextauthjs/next-auth/pull/6160NextAuth
correctly https://github.com/nextauthjs/next-auth/pull/6206Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.18.8
v4.18.7
Compare Source
Bugfixes
v4.18.6
Compare Source
Bugfixes
2875b49
)5259d24
)v4.18.5
Compare Source
Bugfixes
62f672a
)2c669b3
)v4.18.4
Compare Source
Bugfixes
Request
->Response
regressions (#5991) (5c4a9a6
)Content-Type
byunstable_getServerSession
https://github.com/nextauthjs/next-auth/pull/5991/commits/7c24c5613f470f4b33f0486201821c6d40bedca8,
while settingset-cookie
https://github.com/nextauthjs/next-auth/pull/5991/commits/7a390844c8db3c548ca0155f16d6a033693a3fbfv4.18.3
Compare Source
Bugfixes
157269e
)221bc8e
)Other
0a140cd
)v4.18.2
Compare Source
Bugfixes
f329102
)v4.18.1
Compare Source
Bugfixes
authOptions
inunstable_getServerSession
(#5973) (b19b2bc
)Other
Request
andResponse
(#4769) (7e91d7d
)c4352a7
)v4.18.0
Compare Source
Features
f277989
)Bugfixes
0d17578
)response.name
toresponse.nickname
(Naver) (#5915) (6e408e2
)unstable_getServerSession
return type (#5792) (a307079
)Other
2301c1b
)v4.17.0
Compare Source
Features
Bugfixes
jwt
inNextAuthOptions
(#5804) (8387c78
)Other
v4.16.4
Compare Source
Bugfixes
782812a
)v4.16.3
Compare Source
Bugfixes
3343ef1
)v4.16.2
Compare Source
Bugfixes
unstable_getServerSession
(180c625
)v4.16.1
Compare Source
v4.16.0
Features
unstable_getServerSession
in Server Components (#5741) (e90925b
)v4.15.1
Compare Source
Bugfixes
Other
v4.15.0
Compare Source
Features
refetchWhenOffline
option (#4940) (d9df582
)af840b2
)allowDangerousEmailAccountLinking
option for OAuth providers (#5513)Other
6758e1c
)v4.14.0
Compare Source
Features
38a03ed
)Bugfixes
e1eb684
)fe7aaed
)Other
f38ee19
)v4.13.0
Compare Source
Features
d13997e
)Bugfixes
basePath
(#5109) (490d59d
)6132c3f
)97feae7
)Other
0a4b99d
)d6efda0
)v4.12.3
Compare Source
Bugfixes
97feae7
)Other
0a4b99d
)v4.12.2
Compare Source
Bugfixes
6deccf6
)f770b90
)v4.12.1
Compare Source
Bugfixes
next
inpeerDependencies
#5427 (#5430) (54b1845
)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.