CVE-2023-48309: 
JavaScript vulnerability analysis and mitigation

NextAuth.js versions prior to 4.24.5 contain a vulnerability in applications that rely on the default Middleware authorization. The vulnerability (CVE-2023-48309) was disclosed on November 20, 2023, affecting the authentication mechanism in NextAuth.js, a popular authentication library for Next.js applications (GitHub Advisory).

The vulnerability allows a malicious actor to create an empty/mock user by obtaining a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). By manually overriding the 'next-auth.session-token' cookie value with this non-related JWT, an attacker can simulate a logged-in user state. The CVSS v3.1 score for this vulnerability is 5.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (GitHub Advisory).

The impact of this vulnerability is limited as it does not provide access to other users' data or resources that require proper authorization via scopes or other means. The mock user created through this exploit has no associated information (no name, email, or access_token). However, attackers can use this vulnerability to view logged-in user states, such as dashboard layouts (GitHub Advisory).

The vulnerability has been patched in next-auth version 4.24.5. Users should upgrade to this version or later using npm i next-auth@latest, yarn add next-auth@latest, or pnpm add next-auth@latest. As a workaround, developers can implement a custom authorization callback for Middleware to perform basic authentication by checking for the existence of any property besides 'value' on the token object (GitHub Advisory).