Moderate severityNVD Advisory· Published Sep 28, 2022· Updated Apr 23, 2025

NextAuth.js Upstash Adapter missing token verification

CVE-2022-39263

Description

@next-auth/upstash-redis-adapter is the Upstash Redis adapter for NextAuth.js, which provides authentication for Next.js. Applications that use next-auth Email Provider and @next-auth/upstash-redis-adapter before v3.0.2 are affected by this vulnerability. The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim's email could easily sign in as the victim, given the attacker also knows about the verification token's expired duration. The vulnerability is patched in v3.0.2. A workaround is available. Using Advanced Initialization, developers can check the requests and compare the query's token and identifier before proceeding.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@next-auth/upstash-redis-adapternpm	< 3.0.2	3.0.2

Affected products

Nextauthjs/Next Authv5
Range: < 3.0.2

Patches

d16e04848ee7

fix(adapters): check token during email verification in Upstash Adapter (#5377)

https://github.com/nextauthjs/next-authvoinikSep 25, 2022via ghsa

commit

1 file changed · +9 −2

packages/adapter-upstash-redis/src/index.ts+9 −2 modified

@@ -165,13 +165,20 @@ export function UpstashRedisAdapter(
     },
     async createVerificationToken(verificationToken) {
       await setObjectAsJson(
-        verificationTokenKeyPrefix + verificationToken.identifier,
+        verificationTokenKeyPrefix +
+          verificationToken.identifier +
+          ":" +
+          verificationToken.token,
         verificationToken
       )
       return verificationToken
     },
     async useVerificationToken(verificationToken) {
-      const tokenKey = verificationTokenKeyPrefix + verificationToken.identifier
+      const tokenKey =
+        verificationTokenKeyPrefix +
+        verificationToken.identifier +
+        ":" +
+        verificationToken.token
 
       const token = await client.get<VerificationToken>(tokenKey)
       if (!token) return null

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-4rxr-27mm-mxq9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-39263ghsaADVISORY
github.com/nextauthjs/next-auth/commit/d16e04848ee703cf797724194d4ad2907fe125a9ghsax_refsource_MISCWEB
github.com/nextauthjs/next-auth/security/advisories/GHSA-4rxr-27mm-mxq9ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000