CVE-2023-27490 (next-auth)

NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to **log in as the victim**, bypassing the CSRF protection. This is due to a partial failure during …

actor applications auth authentication authorization bad bypassing click csrf cve engineer intercept link log login network oauth open source partial protection social social engineer solution traffic url victim vulnerability