-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency next-auth to v4.24.5 [security] #263
base: main
Are you sure you want to change the base?
Conversation
960a11e
to
911a43a
Compare
911a43a
to
0aa410c
Compare
0aa410c
to
ce0624c
Compare
ce0624c
to
94fd608
Compare
94fd608
to
f785d8e
Compare
f785d8e
to
1e22b7d
Compare
1e22b7d
to
d80a726
Compare
d80a726
to
5f5c03e
Compare
5f5c03e
to
3cb0d27
Compare
3cb0d27
to
0c8bb8e
Compare
0c8bb8e
to
2ca6410
Compare
7234041
to
6034e30
Compare
6034e30
to
67ab8f2
Compare
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/@babel/[email protected], npm/@codegouvfr/[email protected], npm/@dataesr/[email protected], npm/@panva/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected] |
67ab8f2
to
b9c9ac3
Compare
b9c9ac3
to
ffb62ab
Compare
ffb62ab
to
c02792a
Compare
c02792a
to
6b40551
Compare
Quality Gate passedIssues Measures |
6b40551
to
3fd8a62
Compare
Quality Gate passedIssues Measures |
3fd8a62
to
583a821
Compare
583a821
to
d3c7589
Compare
d3c7589
to
25b66fa
Compare
Quality Gate passedIssues Measures |
25b66fa
to
9dc77aa
Compare
Quality Gate passedIssues Measures |
This PR contains the following updates:
4.0.2
->4.24.5
4.23.2
->4.24.5
GitHub Vulnerability Alerts
CVE-2022-24858
next-auth
v3 users before version 3.29.2 are impacted. (We recommend upgrading to v4 in most cases. See our migration guide).next-auth
v4 users before version 4.3.2 are impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to yourcallbacks
option:If you already have a
redirect
callback, make sure that you match the incomingurl
origin against thebaseUrl
.CVE-2022-29214
Impact
We found that this vulnerability is present when the developer is implementing an OAuth 1 provider (by extension, it means Twitter, which is the only built-in provider using OAuth 1), but upgrading is still recommended.
next-auth
v3 users before version 3.29.3 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)next-auth
v4 users before version 4.3.3 are impacted.Patches
We've released patches for this vulnerability in:
3.29.3
4.3.3
You can do:
or
or
(This will update to the latest v4 version, but you can change
latest
to3
if you want to stay on v3.)Workarounds
If you are not able to upgrade for any reason, you can add the following configuration to your
callbacks
option:References
This vulnerability was discovered right after GHSA-f9wg-5f46-cjmw was published and is very similar in nature.
Read more about the
callbacks.redirect
option in the documentation: https://next-auth.js.org/configuration/callbacks#redirect-callbackFor more information
If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability
Timeline
The issue was reported 2022 April 20th, a response was sent out to the reporter 8 minutes after, and a patch was produced within a few days.
CVE-2022-31093
Impact
An attacker can send a request to an app using NextAuth.js with an invalid
callbackUrl
query parameter, which internally we convert to aURL
object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to our API route handler timing out and logging in to fail. This has been remedied in the following releases:next-auth v3 users before version 3.29.5 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)
next-auth v4 users before version 4.5.0 are impacted.
Patches
We've released patches for this vulnerability in:
3.29.5
4.5.0
You can do:
or
or
(This will update to the latest v4 version, but you can change
latest
to3
if you want to stay on v3. This is not recommended.)Workarounds
If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Here is an example:
Before:
After:
References
This vulnerability was discovered not long after GHSA-q2mx-j4x2-2h74 was published and is very similar in nature.
Related documentation:
A test case has been added so this kind of issue will be checked before publishing. See: nextauthjs/next-auth@e498483
For more information
If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability
Timeline
The issue was reported 2022 June 10th, a response was sent out to the reporter in less than 2 hours, and a patch was published within 3 hours.
CVE-2022-31127
Impact
An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.:
[email protected], <a href="http://attacker.com">Before signing in, claim your money!</a>
. This was previously sent to[email protected]
, and the content of the email containing a link to the attacker's site was rendered in the HTML. This has been remedied in the following releases, by simply not rendering that e-mail in the HTML, since it should be obvious to the receiver what e-mail they used:next-auth v3 users before version 3.29.8 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)
next-auth v4 users before version 4.8.0 are impacted.
Patches
We've released patches for this vulnerability in:
3.29.8
4.9.0
You can do:
(This will update to the latest v4 version, but you can change
latest
to3
if you want to stay on v3. This is not recommended.)Workarounds
If for some reason you cannot upgrade, the workaround requires you to sanitize the
email
parameter that is passed tosendVerificationRequest
and rendered in the HTML. If you haven't created a customsendVerificationRequest
, you only need to upgrade. Otherwise, make sure to either excludeemail
from the HTML body or efficiently sanitize it. Check out https://next-auth.js.org/providers/email#customizing-emailsReferences
Related documentation:
A test case has been added so this kind of issue will be checked before publishing. See: https://github.com/nextauthjs/next-auth/blob/cd6ccfde898037290ae949d500ace8a378376cd8/packages/next-auth/tests/email.test.ts
For more information
If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability
Timeline
The issue was reported 2022 June 29th, a response was sent out to the reporter in less than 1 hour, and after identifying the issue a patch was published within 4 working days.
CVE-2022-35924
Impact
next-auth
users who are using theEmailProvider
either in versions before4.10.3
or3.29.10
are affected.If an attacker could forge a request that sent a comma-separated list of emails (eg.:
[email protected],[email protected]
) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being[email protected],[email protected]
. This means that basic authorization likeemail.endsWith("@​victim.com")
in thesignIn
callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an@attacker.com
address.Patches
We patched this vulnerability in
v4.10.3
andv3.29.10
by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added anormalizeIdentifier
callback on theEmailProvider
configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance)To upgrade, run one of the following:
(This will update to the latest v4 version, but you can change
latest
to3
if you want to stay on v3. This is not recommended. v3 is unmaintained.)Workarounds
If for some reason you cannot upgrade, you can normalize the incoming request like the following, using Advanced Initialization:
References
signIn
callback: https://next-auth.js.org/configuration/callbacks#sign-in-callbacknodemailer
address: https://nodemailer.com/message/addressesFor more information
If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability
Timeline
The issue was reported 26th of July, a response was sent out in less than 1 hour and after identifying the issue a patch was published within 5 working days.
Acknowledgments
We would like to thank Socket for disclosing this vulnerability in a responsible manner and following up until it got published.
CVE-2022-31186
Impact
An information disclosure vulnerability in
next-auth
beforev4.10.2
andv3.29.9
allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log (which is thrown during OAuth error handling) and use it to leverage further attacks on the system, like impersonating the client to ask for extensive permissions.Patches
We patched this vulnerability in
v4.10.2
andv3.29.9
by moving the log forprovider
information to the debug level. In addition, we added a warning for having thedebug: true
option turned on in production and documented it here.To upgrade:
(This will update to the latest v4 version, but you can change
latest
to 3 if you want to stay on v3. This is not recommended. v3 is unmaintained.)Workarounds
If for some reason you cannot upgrade, you can user the
logger
configuration option by sanitizing the logs:References
Related documentation:
For more information
If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability
Timeline
The issue was reported 18th of July, a response was sent out in less than 20 minutes and after identifying the issue a patch was published within a week.
CVE-2023-27490
Impact
next-auth
applications using OAuth provider versions beforev4.20.1
are affected.A bad actor who can spy on the victim's network or able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to log in as the victim, bypassing the CSRF protection.
As an example, an attack can happen in the following scenario.
next-auth
site. For example https://next-auth-example.vercel.app/next-auth
sets thechecks
cookies according to how the OAuth provider is configured. In this case,state
andpkce
are set by default for the Google Provider.The attacker intercepts the returned authorization URL, strips away the OAuth check (nonce, state, pkce), and returns the URL without the check to the victim's browser. For example:
From
https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=client_id&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fnext-auth-example.vercel.app%2Fapi%2Fauth%2Fcallback%2Fgoogle&state=state&code_challenge=code_challenge&code_challenge_method=S256&service=lso&o2v=2&flowName=GeneralOAuthFlow
to
https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=client_id&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fnext-auth-example.vercel.app%2Fapi%2Fauth%2Fcallback%2Fgoogle&service=lso&o2v=2&flowName=GeneralOAuthFlow
.Notice the parameters
state
,code_challenge
andcode_verifier
are removed from the victim's address bar.The victim attempts to log in using their OAuth account.
The Authorization Server logs the victim in and calls back to the
next-auth
api/auth/callback/:providerId
endpoint.5.1. The attacker intercepts and logs this callback URL for later use.
5.2.
next-auth
checks the callback call from OAuth Authorization Server (doesn't have checks) and compares the checks with the cookies set (has checks) at step 2. This check will fail, resulting in the victim isn't logged in. However, at this step, the Authorization Server has already accepted the victim's request to log in and generated/sent acode
in the URL.The attacker now has an authorization URL with the
code
that the AS will exchange for validaccess_token
/id_token
and can log in as the victim automatically. They can open a new browser window and paste in the URL logged at step 5.1 and log in as the victim.Patches
We patched the vulnerability in
next-auth
v4.20.1
To upgrade, run one of the following:
Workarounds
Upgrading to
latest
is the recommended way to fix this issue. However, using Advanced Initialization, developers can manually check the callback request forstate
,pkce
, andnonce
against the provider configuration, and abort the sign-in process if there is a mismatch. Check out the source code for help.References
checks
provider configCVE-2023-48309
Impact
next-auth
applications prior to version 4.24.5 that rely on the default Middleware authorization are affected.A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce).
Manually overriding the
next-auth.session-token
cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string).This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.)
This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout).
Note: Regardless of the vulnerability, the existence of a NextAuth.js session state can provide simple authentication, but not authorization in your applications. For role-based access control, you can check out our guide.
Patches
We patched the vulnerability in
next-auth
v4.24.5
. To upgrade, run one of the following:Workarounds
Upgrading to
latest
is the recommended way to fix this issue. However, using a custom authorization callback for Middleware, developers can manually do a basic authentication:References
Release Notes
nextauthjs/next-auth (next-auth)
v4.24.5
Compare Source
Bugfixes
v4.24.4
Compare Source
Bugfixes
v4.24.3
Compare Source
Bugfixes
v4.24.2
Compare Source
Bugfixes
v4.24.1
Compare Source
Bugfixes
v4.24.0
Compare Source
Features
v4.23.2
Compare Source
Bugfixes
redirect: false
for route handler (#8775) (27b2519
)d813c00
)?
from signIn URL (#8466)Other
v4.23.1
Compare Source
Bugfixes
next-auth/adapters
(20c3fe3
)default
submodules export inpackage.json
(#8330)v4.23.0
Compare Source
Features
5a8aa2e
)Bugfixes
05ff6ae
)v4.22.5
Compare Source
Bugfixes
next-auth/adapter
&@auth/core/adapters
(nextauthjs/next-auth@3b0128c)Other
v4.22.4
Compare Source
Bugfixes
465644f
)getServerSession
(#8108)res.end()
in api handler (#8244)Other
getServerSession
unstable_getServerSession
v4.22.3
Compare Source
Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.22.3
v4.22.2
Compare Source
Bugfixes
nodemailer
/required types (#7950) (f48eb04
)bd37c55
)169a523
)Other
v4.22.1
Bugfixes
instanceof Request
check fails (#7303)Other
b481048
)a220245
)next-auth
fromv4
tomain
(#7265)v4.21.1
Compare Source
Bugfixes
session
callback type changes (#7136) (ec8a343
)v4.21.0
Compare Source
Features
Bugfixes
8aa1789
)86d031f
)id
inupdateUser
as always defined (319f2ce
)Other
v4.20.1
Compare Source
v4.20.0
Compare Source
v4.19.2
Compare Source
What's Changed
Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.19.2
v4.19.1
Compare Source
What's Changed
unstable
note. by @OrJDev in https://github.com/nextauthjs/next-auth/pull/6537unstable_getServerSession
by @joulev in https://github.com/nextauthjs/next-auth/pull/6560New Contributors
Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.19.1
v4.19.0
Compare Source
What's Changed
oauth_token_secret
in https://github.com/nextauthjs/next-auth/pull/6534unstable_
prefixgetServerSession
in https://github.com/nextauthjs/next-auth/pull/6535generateSessionToken
awaitable in https://github.com/nextauthjs/next-auth/pull/6536Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.19.0
v4.18.10
Compare Source
v4.18.9
Compare Source
v4.18.8
Compare Source
What's Changed
docusaurus.config.js
settings (v4
) https://github.com/nextauthjs/next-auth/pull/6160NextAuth
correctly https://github.com/nextauthjs/next-auth/pull/6206Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.18.8
v4.18.7
Compare Source
Bugfixes
v4.18.6
Compare Source
Bugfixes
2875b49
)5259d24
)v4.18.5
Compare Source
Bugfixes
62f672a
)2c669b3
)v4.18.4
Compare Source
Bugfixes
Request
->Response
regressions (#5991) (5c4a9a6
)Content-Type
byunstable_getServerSession
https://github.com/nextauthjs/next-auth/pull/5991/commits/7c24c5613f470f4b33f0486201821c6d40bedca8,
while settingset-cookie
https://github.com/nextauthjs/next-auth/pull/5991/commits/7a390844c8db3c548ca0155f16d6a033693a3fbfv4.18.3
Compare Source
Bugfixes
157269e
)221bc8e
)Other
0a140cd
)v4.18.2
Compare Source
Bugfixes
f329102
)v4.18.1
Compare Source
Bugfixes
authOptions
inunstable_getServerSession
(#5973) (b19b2bc
)Other
Request
andResponse
(#4769) (7e91d7d
)c4352a7
)v4.18.0
Compare Source
Features
f277989
)Bugfixes
0d17578
)response.name
toresponse.nickname
(Naver) (#5915) (6e408e2
)unstable_getServerSession
return type (#5792) (a307079
)Other
2301c1b
)v4.17.0
Compare Source
Features
Bugfixes
jwt
inNextAuthOptions
(#5804) (8387c78
)Other
v4.16.4
Compare Source
Bugfixes
782812a
)v4.16.3
Compare Source
Bugfixes
3343ef1
)v4.16.2
Compare Source
Bugfixes
unstable_getServerSession
(180c625
)v4.16.1
Compare Source
v4.16.0
Features
unstable_getServerSession
in Server Components (#5741) (e90925b
)v4.15.1
Compare Source
Bugfixes
Other
v4.15.0
Compare Source
Features
refetchWhenOffline
option (#4940) (d9df582
)af840b2
)allowDangerousEmailAccountLinking
option for OAuth providers (#5513)Other
6758e1c
)v4.14.0
Compare Source
Features
38a03ed
)Bugfixes
e1eb684
)fe7aaed
)Other
f38ee19
)v4.13.0
Compare Source
Features
d13997e
)Bugfixes
basePath
(#5109) (490d59d
)6132c3f
)97feae7
)Other
0a4b99d
)d6efda0
)v4.12.3
Compare Source
Bugfixes
97feae7
)Other
0a4b99d
)v4.12.2
Compare Source
Bugfixes
6deccf6
)f770b90
)v4.12.1
Compare Source
Bugfixes
next
inpeerDependencies
#5427 (#5430) (54b1845
)v4.12.0
Compare Source
Features
965c626
)Others
v4.11.0
Compare Source
Features
a0beb02
)Bugfixes
includes()
for NextAuth pages (#5104) (44f2a47
)client_secret_post
token auth for LinkedIn (#5236) (ba20974
)f1d3bc2
)appid
param to Azure ADwellKnown
URL (#5138) (a03657e
)Other
ba55f06
)26a03da
)d980fa9
)v4.10.3
Compare Source
Bugfixes
normalizeIdentifier
to EmailProvider (afb1fcd
)a21db89
)v4.10.2
Compare Source
Bugfixes
logger
(#4970)v4.10.1
Compare Source
Bugfixes
2725d07
)issuer
in Azure AD B2C (042955e
)bb664a2
)withAuth
(#4926) (46eedee
)handleMiddleware
return type can beNextMiddlewareResult
(#4818) (8853000
)Other
next
path innext-auth
(fb60554
)v4.10.0
Compare Source
Features
c22d613
)3c210d9
)Bugfixes
secret
as option in Middleware (#4846) (c59a4e0
)cdf467e
)nodemailer
config in the EmailProvider (#4097) (1b91282
)af3c2dd
)colorScheme
optional (#4868) ([c1f7ce3
](https://redirect.githConfiguration
📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.