Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-p6mm-27gq-9v3p

LOW

next-auth before v4.10.2 and v3.29.9 leaks excessive information into log

Also known asCVE-2022-31186
Published
Aug 6, 2022
Updated
Nov 8, 2023
Affected
2 pkgs
Patched
2 / 2
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.2%probability of exploitation in next 30 days
Lower Risk15th percentile+0.19%
0.00%0.25%0.50%0.75%0.1%0.2%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

2 pkgs affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

next-authnpm
4.9Mdownloads / week

Description

Impact

An information disclosure vulnerability in next-auth before v4.10.2 and v3.29.9 allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log (which is thrown during OAuth error handling) and use it to leverage further attacks on the system, like impersonating the client to ask for extensive permissions.

Patches

We patched this vulnerability in v4.10.2 and v3.29.9 by moving the log for provider information to the debug level. In addition, we added a warning for having the debug: true option turned on in production and documented it here.

You have enabled the debug option. It is meant for development only, to help you catch issues in your authentication flow and you should consider removing this option when deploying to production. One way of only allowing debugging while not in production is to set debug: process.env.NODE_ENV !== "production", so you can commit this without needing to change the value.

If you want to log debug messages during production anyway, we recommend setting the logger option with proper sanitization of potentially sensitive user information.

To upgrade:

npm i next-auth@latest
# or
yarn add next-auth@latest
# or
pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended. v3 is unmaintained.)

Workarounds

If for some reason you cannot upgrade, you can user the logger configuration option by sanitizing the logs:

// Example
import log from "your-logging-service"
export const authOptions: NextAuthOptions = {
  debug: process.env.NODE_ENV !== "production",
  logger: {
    error: (code, metadata) => {
      if (!(metadata instanceof Error) &&  metadata.provider) {
        // redact the provider secret here
        delete metadata.provider
        log.error(code, metadata)
      } else {
        log.error(code, metadata)
      }
    }
  },
}

References

Related documentation:

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 18th of July, a response was sent out in less than 20 minutes and after identifying the issue a patch was published within a week.

Affected Packages

2 total 2 fixed
EcosystemPackageVulnerable rangeFix
📦npmnext-authall versions3.29.9
📦npmnext-auth4.0.0&&< 4.10.24.10.2

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for next-auth. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update next-auth to 3.29.9 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-p6mm-27gq-9v3p is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-p6mm-27gq-9v3p is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-p6mm-27gq-9v3p. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact An information disclosure vulnerability in `next-auth` before `v4.10.2` and `v3.29.9` allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log (which is thrown during OAuth error handling) and use it to leverage further attacks on the system, like impersonating the client to ask for extensive permissions. ### Patches We patched this vulnerability in `v4.10.2` and `v3.29.9` by moving the log for `provider` information to the debug level. In addition, we added a warning for having the `debug: true` option turned on
O3 Security · Impact-Aware SCA

Is GHSA-p6mm-27gq-9v3p in your dependencies?

O3 detects GHSA-p6mm-27gq-9v3p across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works