CVE-2022-31093: 
JavaScript vulnerability analysis and mitigation

A high severity vulnerability (CVE-2022-31093) was discovered in NextAuth.js affecting versions <3.29.5 and <4.5.0. The vulnerability allows attackers to send requests with an invalid callbackUrl query parameter, which when internally converted to a URL object would fail due to malformed URL construction (NextAuth Advisory).

The vulnerability occurs when processing the callbackUrl parameter in authentication requests. When an invalid URL is provided, the URL instantiation fails due to malformed input, causing an unhandled error that leads to API route handler timeout and authentication failure. The issue was discovered shortly after a similar vulnerability (GHSA-q2mx-j4x2-2h74) and affects the URL validation mechanism (NextAuth Advisory).

When exploited, this vulnerability results in authentication failures and API route handler timeouts, effectively preventing legitimate users from logging in to the application. The unhandled error condition creates a denial of service scenario for the authentication functionality (NextAuth Advisory).

The vulnerability has been patched in versions 3.29.5 and 4.5.0. Users are recommended to upgrade to these versions or later. For those unable to upgrade immediately, a workaround is available using Advanced Initialization by implementing custom URL validation before passing the request to NextAuth. The maintainers recommend upgrading to v4 as v3 is considered unmaintained (NextAuth Advisory).