fix(deps): update dependency next-auth to v4.24.5 [security] #263

renovate · 2022-04-22T21:35:43Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next-auth (source)	`4.0.2` -> `4.24.5`
next-auth (source)	`4.23.2` -> `4.24.5`

GitHub Vulnerability Alerts

CVE-2022-24858

next-auth v3 users before version 3.29.2 are impacted. (We recommend upgrading to v4 in most cases. See our migration guide).next-auth v4 users before version 4.3.2 are impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option:

// async redirect(url, baseUrl) { // v3
async redirect({ url, baseUrl }) { // v4
    // Allows relative callback URLs
    if (url.startsWith("/")) return new URL(url, baseUrl).toString()
    // Allows callback URLs on the same origin
    else if (new URL(url).origin === baseUrl) return url
    return baseUrl
}

If you already have a redirect callback, make sure that you match the incoming url origin against the baseUrl.

CVE-2022-29214

Impact

We found that this vulnerability is present when the developer is implementing an OAuth 1 provider (by extension, it means Twitter, which is the only built-in provider using OAuth 1), but upgrading is still recommended.

next-auth v3 users before version 3.29.3 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)

next-auth v4 users before version 4.3.3 are impacted.

Patches

We've released patches for this vulnerability in:

v3 - 3.29.3
v4 - 4.3.3

You can do:

npm i next-auth@latest

or

yarn add next-auth@latest

or

pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3.)

Workarounds

If you are not able to upgrade for any reason, you can add the following configuration to your callbacks option:

// async redirect(url, baseUrl) { // v3
async redirect({ url, baseUrl }) { // v4
    // Allows relative callback URLs
    if (url.startsWith("/")) return `${baseUrl}${url}`
    // Allows callback URLs on the same origin
    else if (new URL(url).origin === baseUrl) return url
    return baseUrl
}

References

This vulnerability was discovered right after GHSA-f9wg-5f46-cjmw was published and is very similar in nature.

Read more about the callbacks.redirect option in the documentation: https://next-auth.js.org/configuration/callbacks#redirect-callback

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 2022 April 20th, a response was sent out to the reporter 8 minutes after, and a patch was produced within a few days.

CVE-2022-31093

Impact

An attacker can send a request to an app using NextAuth.js with an invalid callbackUrl query parameter, which internally we convert to a URL object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to our API route handler timing out and logging in to fail. This has been remedied in the following releases:

next-auth v3 users before version 3.29.5 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)

next-auth v4 users before version 4.5.0 are impacted.

Patches

We've released patches for this vulnerability in:

v3 - 3.29.5
v4 - 4.5.0

You can do:

npm i next-auth@latest

or

yarn add next-auth@latest

or

pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended.)

Workarounds

If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Here is an example:

Before:

// pages/api/auth/[...nextauth].js
import NextAuth from "next-auth"

export default NextAuth(/* your config */)

After:

// pages/api/auth/[...nextauth].js
import NextAuth from "next-auth"

function isValidHttpUrl(url) {
  try {
    return /^https?:/.test(url).protocol
  } catch {
    return false;
  }
}

export default async function handler(req, res) {
  if (
    req.query.callbackUrl &&
    !isValidHttpUrl(req.query.callbackUrl)
  ) {
   return res.status(500).send('');
  }
  
  return await NextAuth(req, res, /* your config */)
}

References

This vulnerability was discovered not long after GHSA-q2mx-j4x2-2h74 was published and is very similar in nature.

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 2022 June 10th, a response was sent out to the reporter in less than 2 hours, and a patch was published within 3 hours.

CVE-2022-31127

Impact

An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: [email protected], <a href="http://attacker.com">Before signing in, claim your money!</a>. This was previously sent to [email protected], and the content of the email containing a link to the attacker's site was rendered in the HTML. This has been remedied in the following releases, by simply not rendering that e-mail in the HTML, since it should be obvious to the receiver what e-mail they used:

next-auth v3 users before version 3.29.8 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)

next-auth v4 users before version 4.8.0 are impacted.

Patches

We've released patches for this vulnerability in:

v3 - 3.29.8
v4 - 4.9.0

You can do:

npm i next-auth@latest

# or
yarn add next-auth@latest

#
pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended.)

Workarounds

If for some reason you cannot upgrade, the workaround requires you to sanitize the email parameter that is passed to sendVerificationRequest and rendered in the HTML. If you haven't created a custom sendVerificationRequest, you only need to upgrade. Otherwise, make sure to either exclude email from the HTML body or efficiently sanitize it. Check out https://next-auth.js.org/providers/email#customizing-emails

References

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 2022 June 29th, a response was sent out to the reporter in less than 1 hour, and after identifying the issue a patch was published within 4 working days.

CVE-2022-35924

Impact

next-auth users who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected.

If an attacker could forge a request that sent a comma-separated list of emails (eg.: [email protected],[email protected]) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being [email protected],[email protected]. This means that basic authorization like email.endsWith("@victim.com") in the signIn callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an @attacker.com address.

Patches

We patched this vulnerability in v4.10.3 and v3.29.10 by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a normalizeIdentifier callback on the EmailProvider configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance)

To upgrade, run one of the following:

npm i next-auth@latest

yarn add next-auth@latest

pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended. v3 is unmaintained.)

Workarounds

If for some reason you cannot upgrade, you can normalize the incoming request like the following, using Advanced Initialization:

// pages/api/auth/[...nextauth].ts

function normalize(identifier) {
  // Get the first two elements only,
  // separated by `@` from user input.
  let [local, domain] = identifier.toLowerCase().trim().split("@&#8203;")
  // The part before "@&#8203;" can contain a ","
  // but we remove it on the domain part
  domain = domain.split(",")[0]
  return `${local}@&#8203;${domain}`
}

export default async function handler(req, res) {
  if (req.body.email) req.body.email = normalize(req.body.email)
  return await NextAuth(req, res, {/* your options */ })
}

References

EmailProvider: https://next-auth.js.org/providers/email
Normalize the email address: https://next-auth.js.org/providers/email#normalizing-the-email-address
Email syntax: https://en.wikipedia.org/wiki/Email_address#Local-part
signIn callback: https://next-auth.js.org/configuration/callbacks#sign-in-callback
Advanced Initialization: https://next-auth.js.org/configuration/initialization#advanced-initialization
nodemailer address: https://nodemailer.com/message/addresses

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 26th of July, a response was sent out in less than 1 hour and after identifying the issue a patch was published within 5 working days.

Acknowledgments

We would like to thank Socket for disclosing this vulnerability in a responsible manner and following up until it got published.

CVE-2022-31186

Impact

An information disclosure vulnerability in next-auth before v4.10.2 and v3.29.9 allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log (which is thrown during OAuth error handling) and use it to leverage further attacks on the system, like impersonating the client to ask for extensive permissions.

Patches

We patched this vulnerability in v4.10.2 and v3.29.9 by moving the log for provider information to the debug level. In addition, we added a warning for having the debug: true option turned on in production and documented it here.

You have enabled the debug option. It is meant for development only, to help you catch issues in your authentication flow and you should consider removing this option when deploying to production. One way of only allowing debugging while not in production is to set debug: process.env.NODE_ENV !== "production", so you can commit this without needing to change the value.

If you want to log debug messages during production anyway, we recommend setting the logger option with proper sanitization of potentially sensitive user information.

To upgrade:

npm i next-auth@latest

# or
yarn add next-auth@latest

# or
pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended. v3 is unmaintained.)

Workarounds

If for some reason you cannot upgrade, you can user the logger configuration option by sanitizing the logs:

// Example
import log from "your-logging-service"
export const authOptions: NextAuthOptions = {
  debug: process.env.NODE_ENV !== "production",
  logger: {
    error: (code, metadata) => {
      if (!(metadata instanceof Error) &&  metadata.provider) {
        // redact the provider secret here
        delete metadata.provider
        log.error(code, metadata)
      } else {
        log.error(code, metadata)
      }
    }
  },
}

References

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 18th of July, a response was sent out in less than 20 minutes and after identifying the issue a patch was published within a week.

CVE-2023-27490

Impact

next-auth applications using OAuth provider versions before v4.20.1 are affected.

A bad actor who can spy on the victim's network or able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to log in as the victim, bypassing the CSRF protection.

As an example, an attack can happen in the following scenario.

TL;DR: The attacker steals the victim's authenticated callback by intercepting and tampering with the authorization URL created by next-auth.

The victim attempts to log in to the next-auth site. For example https://next-auth-example.vercel.app/
next-auth sets the checks cookies according to how the OAuth provider is configured. In this case, state and pkce are set by default for the Google Provider.

The attacker intercepts the returned authorization URL, strips away the OAuth check (nonce, state, pkce), and returns the URL without the check to the victim's browser. For example:
From
https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=client_id&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fnext-auth-example.vercel.app%2Fapi%2Fauth%2Fcallback%2Fgoogle&state=state&code_challenge=code_challenge&code_challenge_method=S256&service=lso&o2v=2&flowName=GeneralOAuthFlow
to
https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=client_id&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fnext-auth-example.vercel.app%2Fapi%2Fauth%2Fcallback%2Fgoogle&service=lso&o2v=2&flowName=GeneralOAuthFlow.
Notice the parameters state, code_challenge and code_verifier are removed from the victim's address bar.
The victim attempts to log in using their OAuth account.
The Authorization Server logs the victim in and calls back to the next-auth api/auth/callback/:providerIdendpoint.
5.1. The attacker intercepts and logs this callback URL for later use.
5.2. next-auth checks the callback call from OAuth Authorization Server (doesn't have checks) and compares the checks with the cookies set (has checks) at step 2. This check will fail, resulting in the victim isn't logged in. However, at this step, the Authorization Server has already accepted the victim's request to log in and generated/sent a code in the URL.
The attacker now has an authorization URL with the code that the AS will exchange for valid access_token/id_token and can log in as the victim automatically. They can open a new browser window and paste in the URL logged at step 5.1 and log in as the victim.

Patches

We patched the vulnerability in next-auth v4.20.1
To upgrade, run one of the following:

npm i next-auth@latest

yarn add next-auth@latest

pnpm add next-auth@latest

Workarounds

Upgrading to latest is the recommended way to fix this issue. However, using Advanced Initialization, developers can manually check the callback request for state, pkce, and nonce against the provider configuration, and abort the sign-in process if there is a mismatch. Check out the source code for help.

References

CVE-2023-48309

Impact

next-auth applications prior to version 4.24.5 that rely on the default Middleware authorization are affected.

A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce).

Manually overriding the next-auth.session-token cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string).

This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.)

This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout).

Note: Regardless of the vulnerability, the existence of a NextAuth.js session state can provide simple authentication, but not authorization in your applications. For role-based access control, you can check out our guide.

Patches

We patched the vulnerability in next-auth v4.24.5. To upgrade, run one of the following:

npm i next-auth@latest

yarn add next-auth@latest

pnpm add next-auth@latest

Workarounds

Upgrading to latest is the recommended way to fix this issue. However, using a custom authorization callback for Middleware, developers can manually do a basic authentication:

// middleware.ts
import { withAuth } from "next-auth/middleware"

export default withAuth(/*your middleware function*/, {
  // checking the existence of any property - besides `value` which might be a random string - on the `token` object is sufficient to prevent this vulnerability
  callbacks: { authorized: ({ token }) => !!token?.email }
})

References

Release Notes

nextauthjs/next-auth (next-auth)

fix(deps): update dependency next-auth to v4.24.5 [security] #263

Are you sure you want to change the base?

fix(deps): update dependency next-auth to v4.24.5 [security] #263

Conversation

renovate bot commented Apr 22, 2022 • edited Loading

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

References

For more information

Timeline

Impact

Patches

Workarounds

References

For more information

Timeline

Impact

Patches

Workarounds

References

For more information

Timeline

Impact

Patches

Workarounds

References

For more information

Timeline

Acknowledgments

Impact

Patches

Workarounds

References

For more information

Timeline

Impact

Patches

Workarounds

References

Impact

Patches

Workarounds

References

Release Notes

Bugfixes

Bugfixes

Bugfixes

Bugfixes

Bugfixes

Features

Bugfixes

Other

Bugfixes

Features

Bugfixes

Bugfixes

Other

Bugfixes

Other

Bugfixes

Other

Bugfixes

Other

Bugfixes

Features

Bugfixes

Other

What's Changed

What's Changed

New Contributors

What's Changed

What's Changed

Bugfixes

Bugfixes

Bugfixes

Bugfixes

Bugfixes

Other

renovate bot commented Apr 22, 2022 •

edited

Loading