CVE-2023-48309

Summary

CVE-2023-48309 is a vulnerability in NextAuth.js, affecting versions prior to 4.24.5. This vulnerability allows a bad actor to create an empty/mock user by obtaining a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow. By overriding the `next-auth.session-token` cookie value with this non-related JWT, the user can simulate a logged-in user without any associated user information. While this vulnerability does not grant access to other users' data or resources requiring proper authorization, it can be exploited by malicious actors to peek at logged-in user states, such as dashboard layouts. The affected products include multiple versions of NextAuth.js and some related components. The remediation for this vulnerability is to update to version 4.24.5 or newer of `next-auth`. The potential danger posed by this vulnerability lies in unauthorized access to certain user states and possible exploitation of the simulated logged-in user status for malicious purposes within an organization's systems and applications.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.