CVE-2021-43812

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before 1.6.2 do not filter out certain returnTo parameter values from the login url, which expose the application to an open redirect vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
Configurations

Configuration 1 (hide)

cpe:2.3:a:auth0:nextjs-auth0:*:*:*:*:*:node.js:*:*

History

22 Dec 2021, 03:31

Type Values Removed Values Added
CPE cpe:2.3:a:auth0:nextjs-auth0:*:*:*:*:*:node.js:*:*
CVSS v2 : unknown
v3 : 6.4
v2 : 5.8
v3 : 6.1
References (MISC) https://github.com/auth0/nextjs-auth0/commit/0bbd9f8a0c93af51f607f28633b5fb18c5e48ad6 - (MISC) https://github.com/auth0/nextjs-auth0/commit/0bbd9f8a0c93af51f607f28633b5fb18c5e48ad6 - Patch, Third Party Advisory
References (CONFIRM) https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-2mqv-4j3r-vjvp - (CONFIRM) https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-2mqv-4j3r-vjvp - Third Party Advisory

16 Dec 2021, 20:05

Type Values Removed Values Added
New CVE

Information

Published : 2021-12-16 19:15

Updated : 2024-02-04 22:08


NVD link : CVE-2021-43812

Mitre link : CVE-2021-43812

CVE.ORG link : CVE-2021-43812


JSON object : View

Products Affected

auth0

  • nextjs-auth0
CWE
CWE-601

URL Redirection to Untrusted Site ('Open Redirect')