VYPR
Moderate severityNVD Advisory· Published Apr 19, 2022· Updated Apr 23, 2025

Default redirect callback vulnerable to open redirects

CVE-2022-24858

Description

next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a redirect callback, make sure that you match the incoming url origin against the baseUrl.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
next-authnpm
< 3.29.23.29.2
next-authnpm
>= 4.0.0, < 4.3.24.3.2

Affected products

2

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.