fix(deps): update dependency next-auth to v4.24.5 [security] #222
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.22.1
->4.24.5
GitHub Vulnerability Alerts
CVE-2023-48309
Impact
next-auth
applications prior to version 4.24.5 that rely on the default Middleware authorization are affected.A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce).
Manually overriding the
next-auth.session-token
cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string).This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.)
This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout).
Note: Regardless of the vulnerability, the existence of a NextAuth.js session state can provide simple authentication, but not authorization in your applications. For role-based access control, you can check out our guide.
Patches
We patched the vulnerability in
next-auth
v4.24.5
. To upgrade, run one of the following:Workarounds
Upgrading to
latest
is the recommended way to fix this issue. However, using a custom authorization callback for Middleware, developers can manually do a basic authentication:References
Release Notes
nextauthjs/next-auth (next-auth)
v4.24.5
Compare Source
Bugfixes
v4.24.4
Compare Source
Bugfixes
v4.24.3
Compare Source
Bugfixes
v4.24.2
Compare Source
Bugfixes
v4.24.1
Compare Source
Bugfixes
v4.24.0
Compare Source
Features
v4.23.2
Compare Source
Bugfixes
redirect: false
for route handler (#8775) (27b2519
)d813c00
)?
from signIn URL (#8466)Other
v4.23.1
Compare Source
Bugfixes
next-auth/adapters
(20c3fe3
)default
submodules export inpackage.json
(#8330)v4.23.0
Compare Source
Features
5a8aa2e
)Bugfixes
05ff6ae
)v4.22.5
Compare Source
Bugfixes
next-auth/adapter
&@auth/core/adapters
(nextauthjs/next-auth@3b0128c)Other
v4.22.4
Compare Source
Bugfixes
465644f
)getServerSession
(#8108)res.end()
in api handler (#8244)Other
getServerSession
unstable_getServerSession
v4.22.3
Compare Source
Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.22.3
v4.22.2
Compare Source
Bugfixes
nodemailer
/required types (#7950) (f48eb04
)bd37c55
)169a523
)Other
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.