Skip to content
This repository has been archived by the owner on Jan 19, 2024. It is now read-only.

fix(deps): update dependency next-auth to v4.5.0 [SECURITY] #212

Merged
merged 1 commit into from
Jun 27, 2022
Merged

fix(deps): update dependency next-auth to v4.5.0 [SECURITY] #212

merged 1 commit into from
Jun 27, 2022

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 21, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
next-auth (source) 4.3.4 -> 4.5.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-31093

Impact

An attacker can send a request to an app using NextAuth.js with an invalid callbackUrl query parameter, which internally we convert to a URL object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to our API route handler timing out and logging in to fail. This has been remedied in the following releases:

next-auth v3 users before version 3.29.5 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)

next-auth v4 users before version 4.5.0 are impacted.

Patches

We've released patches for this vulnerability in:

  • v3 - 3.29.5
  • v4 - 4.5.0

You can do:

npm i next-auth@latest

or

yarn add next-auth@latest

or

pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended.)

Workarounds

If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Here is an example:

Before:

// pages/api/auth/[...nextauth].js
import NextAuth from "next-auth"

export default NextAuth(/* your config */)

After:

// pages/api/auth/[...nextauth].js
import NextAuth from "next-auth"

function isValidHttpUrl(url) {
  try {
    return /^https?:/.test(url).protocol
  } catch {
    return false;
  }
}

export default async function handler(req, res) {
  if (
    req.query.callbackUrl &&
    !isValidHttpUrl(req.query.callbackUrl)
  ) {
   return res.status(500).send('');
  }
  
  return await NextAuth(req, res, /* your config */)
}

References

This vulnerability was discovered not long after GHSA-q2mx-j4x2-2h74 was published and is very similar in nature.

Related documentation:

A test case has been added so this kind of issue will be checked before publishing. See: nextauthjs/next-auth@e498483

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 2022 June 10th, a response was sent out to the reporter in less than 2 hours, and a patch was published within 3 hours.

Release Notes

nextauthjs/next-auth

v4.5.0

Compare Source

Bugfixes
  • don't show error on relative callbackUrl

v4.4.0

Compare Source

Features

Bugfixes

Other

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jun 21, 2022
@sonarcloud
Copy link

sonarcloud bot commented Jun 21, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@github-actions github-actions bot temporarily deployed to mon-psy-sante-renovate-npm-next-auth-vulnerability-2uh8w3 June 21, 2022 20:33 Inactive
@github-actions
Copy link

🎉 Deployment for commit 6c0e372 :

Ingresses
Docker images
  • 📦 docker pull ghcr.io/socialgouv/mon-psy-sante/app:sha-6c0e3728e655a586185d0f0647fa9ab7c27686d9
Debug

@renovate renovate bot changed the title fix(deps): update dependency next-auth to v4.5.0 [security] fix(deps): update dependency next-auth to v4.5.0 [SECURITY] Jun 27, 2022
@rap2hpoutre rap2hpoutre merged commit 78c14f1 into main Jun 27, 2022
@rap2hpoutre rap2hpoutre deleted the renovate/npm-next-auth-vulnerability branch June 27, 2022 08:45
SocialGroovyBot added a commit that referenced this pull request Jun 27, 2022
@SocialGroovyBot
chore(release): version 1.47.3
aa76e31 
## [1.47.3](v1.47.2...v1.47.3) (2022-06-27)

### Bug Fixes

* **deps:** update dependency next-auth to v4.5.0 [security] ([#212](#212)) ([78c14f1](78c14f1))
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rap2hpoutre