CVE-2022-31186

Name: CVE-2022-31186
Creator: NVD / NIST
Published: 2022-08-01T20:15:08.583+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

LOWCVSS 3.3/10EPSS 0.24%

Last modified Jun 17, 2026

CVE-2022-31186 is a low-severity vulnerability rated 3.3/10 on the CVSS scale. NextAuth.js is a complete open source authentication solution for Next.js applications. An information disclosure vulnerability in `next-auth` before `v4.10.2` and `v3.29.9` allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log (which is thrown during OAuth error handling) and use it to leverage further attacks on the system, like impersonating the client to ask for extensive permissions. EPSS estimates a 0.24% chance of exploitation in the next 30 days.

Description

NextAuth.js is a complete open source authentication solution for Next.js applications. An information disclosure vulnerability in `next-auth` before `v4.10.2` and `v3.29.9` allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log (which is thrown during OAuth error handling) and use it to leverage further attacks on the system, like impersonating the client to ask for extensive permissions. This issue has been patched in `v4.10.2` and `v3.29.9` by moving the log for `provider` information to the debug level. In addition, we added a warning for having the `debug: true` option turned on in production. If for some reason you cannot upgrade, you can user the `logger` configuration option by sanitizing the logs.

Metrics

CVSS 3.1

3.3/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Probability

0.24%

15.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-532

Affected Software

Vendor	Product	Versions
Next-Auth	Nextauth.Js	< 3.29.9
Next-Auth	Nextauth.Js	>= 4.0.0, < 4.10.2

References

https://github.com/nextauthjs/next-auth/security/advisories/GHSA-p6mm-27gq-9v3pThird Party Advisory
https://next-auth.js.org/configuration/options#loggerVendor Advisory
https://next-auth.js.org/getting-started/upgrade-v4Vendor Advisory
https://next-auth.js.org/warnings#debug_enabledVendor Advisory
https://github.com/nextauthjs/next-auth/security/advisories/GHSA-p6mm-27gq-9v3pThird Party Advisory
https://next-auth.js.org/configuration/options#loggerVendor Advisory
https://next-auth.js.org/getting-started/upgrade-v4Vendor Advisory
https://next-auth.js.org/warnings#debug_enabledVendor Advisory

Timeline

Published: Aug 1, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-31186?

How severe is CVE-2022-31186?

CVE-2022-31186 has a CVSS score of 3.3/10 (LOW severity). The EPSS model estimates a 0.24% probability of exploitation in the next 30 days.

How do I fix CVE-2022-31186?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-31186?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST