CVE-2023-27490
📋 TL;DR
This vulnerability in NextAuth.js allows attackers to bypass authentication and log in as victims by intercepting and tampering with OAuth authorization URLs. It affects Next.js applications using NextAuth.js OAuth providers before version 4.20.1. Attackers need network access to read victim traffic or ability to trick victims into clicking malicious login links.
💻 Affected Systems
- NextAuth.js
📦 What is this software?
Next Auth by Nextauth.js
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover where attackers gain unauthorized access to user accounts, potentially accessing sensitive data, performing unauthorized actions, or escalating privileges within the application.
Likely Case
Targeted account compromise where attackers gain access to specific user accounts they can intercept traffic for or trick into clicking malicious links.
If Mitigated
No impact if proper OAuth state, PKCE, and nonce validation is implemented or if upgraded to patched version.
🎯 Exploit Status
Exploitation requires either network access to intercept traffic or social engineering to get victims to click malicious links. The vulnerability bypasses CSRF protection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.20.1
Vendor Advisory: https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qf
Restart Required: Yes
Instructions:
1. Update NextAuth.js dependency to version 4.20.1 or later. 2. Run npm update next-auth or yarn upgrade next-auth. 3. Restart your Next.js application. 4. Test OAuth authentication flows.
🔧 Temporary Workarounds
Advanced Initialization with Manual Validation
allImplement manual validation of state, PKCE, and nonce parameters in OAuth callback requests
🧯 If You Can't Patch
- Implement manual validation of state, PKCE, and nonce parameters in all OAuth callback handlers
- Monitor authentication logs for suspicious OAuth callback patterns and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check package.json for next-auth version. If version is below 4.20.1 and using OAuth providers, the application is vulnerable.Check Version:
npm list next-auth or check package.json for versionVerify Fix Applied:
Verify next-auth version is 4.20.1 or higher in package.json and test OAuth authentication flows work correctly.📡 Detection & Monitoring
Log Indicators:
- Multiple failed OAuth callbacks from same IP
- OAuth callbacks with missing or mismatched state/PKCE/nonce parameters
- Successful logins from unusual locations or IPs
Network Indicators:
- Unusual OAuth authorization request patterns
- Intercepted OAuth traffic with modified parameters
SIEM Query:
source="auth.log" AND ("OAuth callback failed" OR "state mismatch" OR "PKCE validation failed")🔗 References
- https://authjs.dev/reference/core/providers#checks
- https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/
- https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qf
- https://next-auth.js.org/configuration/initialization#advanced-initialization
- https://next-auth.js.org/configuration/providers/oauth
- https://security.netapp.com/advisory/ntap-20230420-0006/
- https://www.rfc-editor.org/rfc/rfc6749#section-10.12
- https://authjs.dev/reference/core/providers#checks
- https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/
- https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qf
- https://next-auth.js.org/configuration/initialization#advanced-initialization
- https://next-auth.js.org/configuration/providers/oauth
- https://security.netapp.com/advisory/ntap-20230420-0006/
- https://www.rfc-editor.org/rfc/rfc6749#section-10.12
