Headline
CVE-2022-31093: fix: handle invalid `callbackUrl` · nextauthjs/next-auth@25517b7
NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid callbackUrl
query parameter, which internally is converted to a URL
object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the API route handler timing out and logging in to fail. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more.
@@ -99,7 +99,7 @@ This is required to store the verification token. Please see the [email provider
The Credentials Provider can only be used if JSON Web Tokens are used for sessions.
JSON Web Tokens are used for Sessions by default if you have not specified a database. However, if you are using a database, then Database Sessions are enabled by default and you need to [explicitly enable JWT Sessions](https://next-auth.js.org/configuration/options#session) to use the Credentials Provider.
JSON Web Tokens are used for Sessions by default if you have not specified a database. However, if you are using a database, then Database Sessions are enabled by default and you need to [explicitly enable JWT Sessions](/configuration/options#session) to use the Credentials Provider.
If you are using a Credentials Provider, NextAuth.js will not persist users or sessions in a database - user accounts used with the Credentials Provider must be created and managed outside of NextAuth.js.
@@ -119,13 +119,17 @@ The default `code_challenge_method` is `"S256"`. This is currently not configura
> If the client is capable of using "S256", it MUST use "S256", as
S256" is Mandatory To Implement (MTI) on the server.
INVALID_CALLBACK_URL_ERROR
The `callbackUrl` provided was either invalid or not defined. See [specifying a `callbackUrl`](/getting-started/client#specifying-a-callbackurl) for more information.
—
Session Handling
JWT_SESSION_ERROR
https://next-auth.js.org/errors#jwt_session_error JWKKeySupport: the key does not support HS512 verify algorithm
JWKKeySupport: the key does not support HS512 verify algorithm
The algorithm used for generating your key isn’t listed as supported. You can generate a HS512 key using
@@ -161,7 +165,7 @@ Make sure the file is there and the filename is written correctly.
NO_SECRET
In production, we expect you to define a `secret` property in your configuration. In development, this is shown as a warning for convenience. [Read more](https://next-auth.js.org/configuration/options#secret)
In production, we expect you to define a `secret` property in your configuration. In development, this is shown as a warning for convenience. [Read more](/configuration/options#secret)
oauth_callback_error expected 200 OK with body but no body was returned
Related news
### Impact An attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally we convert to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to our **API route handler timing out and logging in to fail**. This has been remedied in the following releases: next-auth v3 users before version 3.29.5 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our [migration guide](https://next-auth.js.org/getting-started/upgrade-v4)) next-auth v4 users before version 4.5.0 are impacted. ### Patches We've released patches for this vulnerability in: - v3 - `3.29.5` - v4 - `4.5.0` You can do: ```sh npm i next-auth@latest ``` or ```sh yarn add next-auth@latest ``` or ```sh pnpm add next-auth@latest ``` (This will update to the latest v4 version, but you can change `latest` to `3` if you want to st...