CVE-2023-27490: 
JavaScript vulnerability analysis and mitigation

NextAuth.js, an open source authentication solution for Next.js applications, versions before v4.20.1 were found to contain an authentication vulnerability. The vulnerability was discovered and disclosed in March 2023, affecting applications using OAuth provider. The vulnerability allows a malicious actor who can read traffic on the victim's network or social engineer the victim to click a manipulated login link to intercept and tamper with the authorization URL to log in as the victim, bypassing the CSRF protection (GHSA Advisory, NVD).

The vulnerability occurs due to a partial failure during a compromised OAuth session where a session code is erroneously generated. The attack involves intercepting the authorization URL created by next-auth, stripping away the OAuth checks (nonce, state, pkce), and returning the modified URL to the victim's browser. When the victim attempts to log in, the Authorization Server accepts the request and generates a code that the attacker can later use to gain unauthorized access (GHSA Advisory). The vulnerability has a CVSS score of 8.1, indicating high severity (NVD).

Successful exploitation of this vulnerability could lead to an attacker being able to log in as the victim, potentially accessing sensitive information, adding or modifying data, or causing a Denial of Service (DoS). The attacker could gain unauthorized access to the victim's account by intercepting and manipulating the authentication process (NetApp Advisory).

The vulnerability has been patched in version 4.20.1 of NextAuth.js. Users are strongly advised to upgrade to this version or later. For users unable to upgrade, a workaround is available using Advanced Initialization, where developers can manually check the callback request for state, pkce, and nonce against the provider configuration, and abort the sign-in process if there is a mismatch (GHSA Advisory).