CVE-2021-21310

CVE-2021-21310 is a low-severity security vulnerability in next-auth (npm), affecting versions < 3.3.0. It is fixed in 3.3.0.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Token verification bug in next-auth

Workarounds

Those not able to upgrade can alternatively disable the Email provider as a workaround.

Description

The Prisma database adapter was checking the verification token but not the identifier (the email address associated with the token). This made it possible to use a valid token assigned to one user, to sign in as another user when using the Prima adapter in conjunction with the Email provider. The defect is specific to the community-supported Prisma database adapter in versions <3.3.0 and is not present in the default database adapter (TypeORM).

Note: The current community-supported adapter was not developed by Prisma.

The defect was a problem in the implementation of verification function the adapter and is not directly related to Prisma.

The flaw may exist in other third party database adapters that do not check both the identifier and token values.

The design of the database adapter API may be revised in future to help reduce the likelyhood of similar defects.

Timeline

On Monday (2021-02-08) we were notified via responsible disclosure by Alessandro Angelino (@AlessandroA) of a flaw in the implementation of the Prisma database adapter included with NextAuth.js. A detailed write up and proof of concept were provided.

The following day (2021-02-09) we published a fix in v3.3.0 and confirmed through internal testing, and with Alessandro, that the issue was resolved in the new release and prompted users to upgrade.

On 2021-02-10 we received a CVE ID and published this advisory within a few hours of notification.

We would like to thank Alessandro for using responsible disclose to allow us to address the issue promptly and publish this advisory once an update was available that resolved the issue and Balázs Orbán (@balazsorban44) for facilitating a timely release of the fix.

Impact

Implementations using the Prisma database adapter with the Email provider are impacted.

Implementations using the Prisma database adapter that are not using the Email provider are not impacted.
Implementations using the default database adapter (TypeORM) with the Email provider are not impacted.
Implementations not using a database are not impacted.

Affected versions

next-auth (< 3.3.0)

Security releases

next-auth → 3.3.0 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

This issue is fixed in 3.3.0 and newer versions.

Frequently Asked Questions

  1. What is CVE-2021-21310? CVE-2021-21310 is a low-severity security vulnerability in next-auth (npm), affecting versions < 3.3.0. It is fixed in 3.3.0.
  2. Which versions of next-auth are affected by CVE-2021-21310? next-auth (npm) versions < 3.3.0 is affected.
  3. Is there a fix for CVE-2021-21310? Yes. CVE-2021-21310 is fixed in 3.3.0. Upgrade to this version or later.
  4. Is CVE-2021-21310 exploitable, and should I be worried? Whether CVE-2021-21310 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2021-21310 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2021-21310? Upgrade next-auth to 3.3.0 or later.

Other vulnerabilities in next-auth

Stop the waste.
Protect your environment with Kodem.