OsVault/npm/next-auth
npm1 critical

next-auth

12 known vulnerabilities · 1 critical · 3 high

CVE-2023-27490HIGH

Missing proper state, nonce and PKCE checks for OAuth authentication

Published Mar 13, 2023
CVE-2022-31127HIGH

Improper handling of email input

Published Jul 6, 2022
CVE-2022-24858MEDIUM

NextAuth.js default redirect callback vulnerable to open redirects

Published Apr 22, 2022
CVE-2022-31186LOW

next-auth before v4.10.2 and v3.29.9 leaks excessive information into log

Published Aug 6, 2022
CVE-2022-31093HIGH

Improper Handling of `callbackUrl` parameter in next-auth

Published Jun 21, 2022
CVE-2022-29214MEDIUM

URL Redirection to Untrusted Site ('Open Redirect') in next-auth

Published May 24, 2022
CVE-2023-48309MEDIUM

Possible user mocking that bypasses basic authentication

Published Nov 20, 2023
GHSA-5jpx-9hw9-2fx4

NextAuthjs Email misdelivery Vulnerability

Published Oct 29, 2025
CVE-2021-21310MEDIUM

Token verification bug in next-auth

Published Feb 11, 2021
CVE-2022-35924CRITICAL

NextAuth.js before 4.10.3 and 3.29.10 sending verification requests (magic link) to unwanted emails

Published Aug 2, 2022
MAL-2025-3795

Malicious code in next-auths (npm)

Published May 14, 2025
MAL-2025-3794

Malicious code in next-auth-core (npm)

Published May 14, 2025
Check your entire dependency tree at onceRun dependency scan →