CVE-2022-31186: 
JavaScript vulnerability analysis and mitigation

An information disclosure vulnerability exists in next-auth before versions 4.10.2 and 3.29.9. The vulnerability allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log, which is thrown during OAuth error handling (NextAuth Advisory).

The vulnerability occurs when debug logging is enabled, causing sensitive information like provider secrets to be exposed in error logs during OAuth error handling. The issue affects versions prior to 4.10.2 and 3.29.9 of the next-auth package. The vulnerability has been assigned a CVSS score of 3.3 (Low), with attack vector being Local, attack complexity Low, and requiring Low privileges (NextAuth Advisory).

If exploited, an attacker with access to logs could obtain sensitive information such as identity provider secrets. This information could then be used to impersonate the client and request extensive permissions from the identity provider (NextAuth Advisory).

The vulnerability has been patched in versions 4.10.2 and 3.29.9 by moving the log for provider information to the debug level. Users should upgrade to these versions or later. Additionally, it is recommended to set debug: process.env.NODE_ENV !== 'production' to ensure debug logging is disabled in production environments. For those who need to log debug messages in production, it's recommended to use the logger option with proper sanitization of sensitive information (NextAuth Advisory).