CWE-754
Allowed-with-ReviewImproper Check for Unusual or Exceptional Conditions
Abstraction: Class · Status: Incomplete
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
908 vulnerabilities reference this CWE, most recent first.
GHSA-FQPG-RQ76-99PQ
Vulnerability from github – Published: 2024-07-05 20:08 – Updated: 2026-03-19 18:41Pipeline can panic when PgConn is busy or closed.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/jackc/pgx/v5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-05T20:08:26Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Pipeline can panic when PgConn is busy or closed.",
"id": "GHSA-fqpg-rq76-99pq",
"modified": "2026-03-19T18:41:01Z",
"published": "2024-07-05T20:08:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jackc/pgx/commit/dfd198003a03dbb96e4607b0d3a0bb9a7398ccb7"
},
{
"type": "PACKAGE",
"url": "https://github.com/jackc/pgx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Panic in Pipeline when PgConn is busy or closed in github.com/jackc/pgx"
}
GHSA-FQQ7-VX9F-V496
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:18DaveGamble/cJSON cJSON 1.7.8 is affected by: Improper Check for Unusual or Exceptional Conditions. The impact is: Null dereference, so attack can cause denial of service. The component is: cJSON_GetObjectItemCaseSensitive() function. The attack vector is: crafted json file. The fixed version is: 1.7.9 and later.
{
"affected": [],
"aliases": [
"CVE-2019-1010239"
],
"database_specific": {
"cwe_ids": [
"CWE-476",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-19T17:15:00Z",
"severity": "HIGH"
},
"details": "DaveGamble/cJSON cJSON 1.7.8 is affected by: Improper Check for Unusual or Exceptional Conditions. The impact is: Null dereference, so attack can cause denial of service. The component is: cJSON_GetObjectItemCaseSensitive() function. The attack vector is: crafted json file. The fixed version is: 1.7.9 and later.",
"id": "GHSA-fqq7-vx9f-v496",
"modified": "2024-04-04T01:18:56Z",
"published": "2022-05-24T16:50:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010239"
},
{
"type": "WEB",
"url": "https://github.com/DaveGamble/cJSON/issues/315"
},
{
"type": "WEB",
"url": "https://github.com/DaveGamble/cJSON/commit/be749d7efa7c9021da746e685bd6dec79f9dd99b"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FQR7-2X83-WF2R
Vulnerability from github – Published: 2023-12-22 21:30 – Updated: 2025-11-04 00:30The vulnerability is caused by improper check for check if RDLENGTH does not overflow the buffer in response from DNS server.
{
"affected": [],
"aliases": [
"CVE-2023-32726"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-18T10:15:06Z",
"severity": "HIGH"
},
"details": "The vulnerability is caused by improper check for check if RDLENGTH does not overflow the buffer in response from DNS server.",
"id": "GHSA-fqr7-2x83-wf2r",
"modified": "2025-11-04T00:30:42Z",
"published": "2023-12-22T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32726"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BYSYLA7VTHR25CBLYO5ZLEJFGU7HTHQB"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMFKNV5E4LG2DIZNPRWQ2ENH75H6UEQT"
},
{
"type": "WEB",
"url": "https://support.zabbix.com/browse/ZBX-23855"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FRHG-FMPG-FQP2
Vulnerability from github – Published: 2023-06-30 18:31 – Updated: 2024-04-04 05:19An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In certain situations, an attempt to block a user fails after a temporary browser hang and a DBQueryDisconnectedError error message.
{
"affected": [],
"aliases": [
"CVE-2023-37303"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-30T17:15:09Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In certain situations, an attempt to block a user fails after a temporary browser hang and a DBQueryDisconnectedError error message.",
"id": "GHSA-frhg-fmpg-fqp2",
"modified": "2024-04-04T05:19:03Z",
"published": "2023-06-30T18:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37303"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/q/I10a9273c542576b3f7bb38de68dcd2aa41cfb1b0"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T338276"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FV57-3HF6-84FP
Vulnerability from github – Published: 2022-04-15 00:00 – Updated: 2022-04-22 00:00An Improper Check for Unusual or Exceptional Conditions vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker with an established ISIS adjacency to cause a Denial of Service (DoS). The rpd CPU spikes to 100% after a malformed ISIS TLV has been received which will lead to processing issues of routing updates and in turn traffic impact. This issue affects: Juniper Networks Junos OS 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to 19.4R2-S6, 19.4R3-S6; 20.1 versions prior to 20.1R3-S2; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R3; 21.2 versions prior to 21.2R2. Juniper Networks Junos OS Evolved All versions prior to 20.4R3-S3-EVO; 21.2 versions prior to 21.2R2-EVO. This issue does not affect Juniper Networks Junos OS versions prior to 19.3R1.
{
"affected": [],
"aliases": [
"CVE-2022-22196"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-14T16:15:00Z",
"severity": "MODERATE"
},
"details": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker with an established ISIS adjacency to cause a Denial of Service (DoS). The rpd CPU spikes to 100% after a malformed ISIS TLV has been received which will lead to processing issues of routing updates and in turn traffic impact. This issue affects: Juniper Networks Junos OS 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to 19.4R2-S6, 19.4R3-S6; 20.1 versions prior to 20.1R3-S2; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R3; 21.2 versions prior to 21.2R2. Juniper Networks Junos OS Evolved All versions prior to 20.4R3-S3-EVO; 21.2 versions prior to 21.2R2-EVO. This issue does not affect Juniper Networks Junos OS versions prior to 19.3R1.",
"id": "GHSA-fv57-3hf6-84fp",
"modified": "2022-04-22T00:00:56Z",
"published": "2022-04-15T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22196"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA69509"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FVC9-HG4X-M85Q
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2022-05-24 16:46A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a possible Denial of Service when writing out of bounds variables to the controller over Modbus.
{
"affected": [],
"aliases": [
"CVE-2018-7857"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-22T21:29:00Z",
"severity": "HIGH"
},
"details": "A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a possible Denial of Service when writing out of bounds variables to the controller over Modbus.",
"id": "GHSA-fvc9-hg4x-m85q",
"modified": "2022-05-24T16:46:14Z",
"published": "2022-05-24T16:46:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7857"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0768"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FVFX-GV98-Q344
Vulnerability from github – Published: 2024-05-16 21:31 – Updated: 2024-05-16 21:31Improper conditions check in Intel(R) Power Gadget software for macOS all versions may allow an authenticated user to potentially enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2023-38420"
],
"database_specific": {
"cwe_ids": [
"CWE-703",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-16T21:15:52Z",
"severity": "LOW"
},
"details": "Improper conditions check in Intel(R) Power Gadget software for macOS all versions may allow an authenticated user to potentially enable information disclosure via local access.",
"id": "GHSA-fvfx-gv98-q344",
"modified": "2024-05-16T21:31:58Z",
"published": "2024-05-16T21:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38420"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01037.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FW4X-GM4M-GFP9
Vulnerability from github – Published: 2026-07-10 00:31 – Updated: 2026-07-10 00:31An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX with SPC3 and SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).
When an affected device initiates a TCP connection to an attacker-controlled system that responds with a specific packet, this causes a PFE crash and restart, which affects all services until the system has automatically recovered. This issue can happen among others in the following scenarios: ALG, SSL proxy, UTM, RTLOG, AppQoE probing, AAMW, ICAP, URL filtering.
This issue affects Junos OS on MX Series with SPC3, SRX5k Series with SPC3, SRX1600 Series, SRX2300 Series, SRX4000 Series, and vSRX Series:
- all versions before 23.2R2-S4,
- 23.4 versions before 23.4R2-S5,
- 24.2 versions before 24.2R2.
{
"affected": [],
"aliases": [
"CVE-2026-57022"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T22:17:07Z",
"severity": "HIGH"
},
"details": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX with SPC3 and SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).\n\nWhen an affected device initiates a TCP connection to an attacker-controlled system that responds with a specific packet, this causes a PFE crash and restart, which affects all services until the system has automatically recovered.\nThis issue can happen among others in the following scenarios: ALG, SSL proxy, UTM, RTLOG, AppQoE probing, AAMW, ICAP, URL filtering.\n\nThis issue affects Junos OS on MX Series with SPC3, SRX5k Series with\u00a0SPC3, SRX1600 Series, SRX2300 Series, SRX4000 Series, and vSRX Series:\n\n * all versions before 23.2R2-S4,\n * 23.4 versions before 23.4R2-S5,\n * 24.2 versions before 24.2R2.",
"id": "GHSA-fw4x-gm4m-gfp9",
"modified": "2026-07-10T00:31:26Z",
"published": "2026-07-10T00:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57022"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA110082"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:A/V:X/RE:M/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G37M-8W79-WGP5
Vulnerability from github – Published: 2026-05-27 09:31 – Updated: 2026-05-27 09:31Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected) allows remote attackers to bypass authentication with prior knowledge of the distinguished name (DN).
{
"affected": [],
"aliases": [
"CVE-2025-13392"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T09:16:26Z",
"severity": "HIGH"
},
"details": "Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected) allows remote attackers to bypass authentication with prior knowledge of the distinguished name (DN).",
"id": "GHSA-g37m-8w79-wgp5",
"modified": "2026-05-27T09:31:16Z",
"published": "2026-05-27T09:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13392"
},
{
"type": "WEB",
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_25_14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G5FM-JP9V-2432
Vulnerability from github – Published: 2022-06-21 20:06 – Updated: 2022-07-08 17:05Impact
An attacker can send a request to an app using NextAuth.js with an invalid callbackUrl query parameter, which internally we convert to a URL object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to our API route handler timing out and logging in to fail. This has been remedied in the following releases:
next-auth v3 users before version 3.29.5 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)
next-auth v4 users before version 4.5.0 are impacted.
Patches
We've released patches for this vulnerability in:
- v3 -
3.29.5 - v4 -
4.5.0
You can do:
npm i next-auth@latest
or
yarn add next-auth@latest
or
pnpm add next-auth@latest
(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended.)
Workarounds
If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Here is an example:
Before:
// pages/api/auth/[...nextauth].js
import NextAuth from "next-auth"
export default NextAuth(/* your config */)
After:
// pages/api/auth/[...nextauth].js
import NextAuth from "next-auth"
function isValidHttpUrl(url) {
try {
return /^https?:/.test(url).protocol
} catch {
return false;
}
}
export default async function handler(req, res) {
if (
req.query.callbackUrl &&
!isValidHttpUrl(req.query.callbackUrl)
) {
return res.status(500).send('');
}
return await NextAuth(req, res, /* your config */)
}
References
This vulnerability was discovered not long after https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74 was published and is very similar in nature.
Related documentation:
- https://next-auth.js.org/getting-started/client#specifying-a-callbackurl
- https://next-auth.js.org/configuration/callbacks#redirect-callback
A test case has been added so this kind of issue will be checked before publishing. See: https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6
For more information
If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability
Timeline
The issue was reported 2022 June 10th, a response was sent out to the reporter in less than 2 hours, and a patch was published within 3 hours.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "next-auth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.29.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next-auth"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31093"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-21T20:06:36Z",
"nvd_published_at": "2022-06-27T22:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nAn attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally we convert to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to our **API route handler timing out and logging in to fail**. This has been remedied in the following releases:\n\nnext-auth v3 users before version 3.29.5 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our [migration guide](https://next-auth.js.org/getting-started/upgrade-v4))\n\nnext-auth v4 users before version 4.5.0 are impacted.\n\n### Patches\n\nWe\u0027ve released patches for this vulnerability in:\n \n- v3 - `3.29.5`\n- v4 - `4.5.0`\n\nYou can do:\n\n```sh\nnpm i next-auth@latest\n```\n\nor\n\n```sh\nyarn add next-auth@latest\n```\n\nor\n\n```sh\npnpm add next-auth@latest\n```\n\n(This will update to the latest v4 version, but you can change `latest` to `3` if you want to stay on v3. This is not recommended.)\n\n### Workarounds\n\nIf for some reason you cannot upgrade, the workaround requires you to rely on [Advanced Initialization](https://next-auth.js.org/configuration/initialization#advanced-initialization). Here is an example:\n\n**Before:**\n\n```js\n// pages/api/auth/[...nextauth].js\nimport NextAuth from \"next-auth\"\n\nexport default NextAuth(/* your config */)\n```\n\n**After:**\n\n```js\n// pages/api/auth/[...nextauth].js\nimport NextAuth from \"next-auth\"\n\nfunction isValidHttpUrl(url) {\n try {\n return /^https?:/.test(url).protocol\n } catch {\n return false;\n }\n}\n\nexport default async function handler(req, res) {\n if (\n req.query.callbackUrl \u0026\u0026\n !isValidHttpUrl(req.query.callbackUrl)\n ) {\n return res.status(500).send(\u0027\u0027);\n }\n \n return await NextAuth(req, res, /* your config */)\n}\n```\n\n\n### References\n\nThis vulnerability was discovered not long after https://github.com/nextauthjs/next-auth/security/advisories/GHSA-q2mx-j4x2-2h74 was published and is very similar in nature.\n\nRelated documentation:\n\n- https://next-auth.js.org/getting-started/client#specifying-a-callbackurl\n- https://next-auth.js.org/configuration/callbacks#redirect-callback\n\nA test case has been added so this kind of issue will be checked before publishing. See: https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6\n\n### For more information\n\nIf you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability\n\n### Timeline\n\nThe issue was reported 2022 June 10th, a response was sent out to the reporter in less than 2 hours, and a patch was published within 3 hours.",
"id": "GHSA-g5fm-jp9v-2432",
"modified": "2022-07-08T17:05:36Z",
"published": "2022-06-21T20:06:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31093"
},
{
"type": "WEB",
"url": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85"
},
{
"type": "WEB",
"url": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6"
},
{
"type": "PACKAGE",
"url": "https://github.com/nextauthjs/next-auth"
},
{
"type": "WEB",
"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Handling of `callbackUrl` parameter in next-auth"
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
Mitigation
Check the results of all functions that return a value and verify that the value is expected.
Mitigation
If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248).
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
- Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-38
If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.
Mitigation
Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur.
No CAPEC attack patterns related to this CWE.