Skip to main content

URL Redirection to Untrusted Site ('Open Redirect')


Severity Medium
Score 6.1/10


next-auth before 3.29.3 and 4.x before 4.3.2 are impacted. Upgrading to 3.29.3 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.

  • LOW
  • LOW
  • NONE
  • LOW
  • NONE

CWE-601 - Open Redirect

An open redirect attack employs a URL parameter, HTML refresh tags, or a DOM based location change to exploit the trust of a vulnerable domain to direct the users to a malicious website. The attack could lead to higher severity vulnerabilities such as unauthorized access control, account takeover, XSS, and more.

Advisory Timeline

  • Published