Skip to main content

Improper Check for Unusual or Exceptional Conditions


Severity High
Score 7.5/10


Improper Handling of `callbackUrl` parameter in next-auth prior to 3.29.5, and 4.x prior to 4.5.0. An attacker can send a request to an app using NextAuth.js with an invalid callbackUrl query parameter, which internally we convert to a URL object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to our API route handler timing out and logging in to fail.

  • LOW
  • NONE
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-754 - Improper Check for Unusual or Exceptional Conditions

The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software.

Advisory Timeline

  • Published