CVE-2023-48309— next-auth 安全漏洞

next-auth vulnerable to possible user mocking that bypasses basic authentication

NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

授权机制不恰当

next-auth 安全漏洞

next-auth是Next.js应用程序的完整开源身份验证解决方案。 next-auth 4.24.5 之前版本存在安全漏洞，该漏洞源于攻击者可以通过从中断的 OAuth 登录流程（状态、PKCE 或随机数）来获取 NextAuth.js 颁发的 JWT，并创建模拟用户，攻击者利用该漏洞可以窥视登录的用户状态。

N/A

N/A