CVE-2023-27490

Name: CVE-2023-27490
Creator: NVD / NIST
Published: 2023-03-09T21:15:11.913+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10EPSS 0.54%

Last modified Jun 17, 2026

CVE-2023-27490 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. EPSS estimates a 0.54% chance of exploitation in the next 30 days.

Description

NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to **log in as the victim**, bypassing the CSRF protection. This is due to a partial failure during a compromised OAuth session where a session code is erroneously generated. This issue has been addressed in version 4.20.1. Users are advised to upgrade. Users unable to upgrade may using Advanced Initialization, manually check the callback request for state, pkce, and nonce against the provider configuration to prevent this issue. See the linked GHSA for details.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Probability

0.54%

41.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Nextauth.Js	Next-Auth	< 4.20.1

References

https://authjs.dev/reference/core/providers#checksProduct
https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/Not Applicable
https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qfExploit, Vendor Advisory
https://next-auth.js.org/configuration/initialization#advanced-initializationProduct
https://next-auth.js.org/configuration/providers/oauthProduct
https://security.netapp.com/advisory/ntap-20230420-0006/
https://www.rfc-editor.org/rfc/rfc6749#section-10.12Not Applicable
https://authjs.dev/reference/core/providers#checksProduct
https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/Not Applicable
https://github.com/nextauthjs/next-auth/security/advisories/GHSA-7r7x-4c4q-c4qfExploit, Vendor Advisory
https://next-auth.js.org/configuration/initialization#advanced-initializationProduct
https://next-auth.js.org/configuration/providers/oauthProduct
https://security.netapp.com/advisory/ntap-20230420-0006/
https://www.rfc-editor.org/rfc/rfc6749#section-10.12Not Applicable

Timeline

Published: Mar 9, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-27490?

How severe is CVE-2023-27490?

CVE-2023-27490 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 0.54% probability of exploitation in the next 30 days.

How do I fix CVE-2023-27490?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-27490?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST