CVSS 3.1 Score 5.3 of 10 (medium)


Published Nov 20, 2023
Updated: Nov 25, 2023
CWE ID 285
CWE ID 863


CVE-2023-48309 is a vulnerability in NextAuth.js, affecting versions prior to 4.24.5. This vulnerability allows a bad actor to create an empty/mock user by obtaining a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow. By overriding the next-auth.session-token cookie value with this non-related JWT, the user can simulate a logged-in user without any associated user information. While this vulnerability does not grant access to other users' data or resources requiring proper authorization, it can be exploited by malicious actors to peek at logged-in user states, such as dashboard layouts. The affected products include multiple versions of NextAuth.js and some related components. The remediation for this vulnerability is to update to version 4.24.5 or newer of next-auth. The potential danger posed by this vulnerability lies in unauthorized access to certain user states and possible exploitation of the simulated logged-in user status for malicious purposes within an organization's systems and applications.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2023-48309 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options