| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-3mbu-vdqr-5yaz |
| vulnerability_id |
VCID-3mbu-vdqr-5yaz |
| summary |
Session Fixation
NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to **log in as the victim**, bypassing the CSRF protection. This is due to a partial failure during a compromised OAuth session where a session code is erroneously generated. This issue has been addressed in version 4.20.1. Users are advised to upgrade. Users unable to upgrade may using Advanced Initialization, manually check the callback request for state, pkce, and nonce against the provider configuration to prevent this issue. See the linked GHSA for details. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-27490, GHSA-7r7x-4c4q-c4qf
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3mbu-vdqr-5yaz |
|
| 1 |
| url |
VCID-899c-99vb-v7bc |
| vulnerability_id |
VCID-899c-99vb-v7bc |
| summary |
NextAuthjs Email misdelivery Vulnerability
NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in `nodemailer`'s address parser used by the project (fixed in `nodemailer` **v7.0.7**). A crafted input such as:
```
"e@attacker.com"@victim.com
```
is parsed incorrectly and results in the message being delivered to `e@attacker.com` (attacker) instead of `"<e@attacker.com>@victim.com"` (the intended recipient at `victim.com`) in violation of RFC 5321/5322 semantics. This allows an attacker to receive login/verification links or other sensitive emails intended for the victim.
<h2>Affected NextAuthjs Version</h2>
≤ Version | Afftected
-- | --
4.24.11 | Yes
5.0.0-beta.29 | Yes |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-5jpx-9hw9-2fx4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-899c-99vb-v7bc |
|
| 2 |
| url |
VCID-q3v6-17wq-dqf2 |
| vulnerability_id |
VCID-q3v6-17wq-dqf2 |
| summary |
NextAuth.js before 4.10.3 and 3.29.10 sending verification requests (magic link) to unwanted emails
### Impact
`next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected.
If an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith("@victim.com")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address.
### Patches
We patched this vulnerability in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance)
To upgrade, run one of the following:
```sh
npm i next-auth@latest
```
```sh
yarn add next-auth@latest
```
```sh
pnpm add next-auth@latest
```
(This will update to the latest v4 version, but you can change `latest` to `3` if you want to stay on v3. This is not recommended. v3 is unmaintained.)
### Workarounds
If for some reason you cannot upgrade, you can normalize the incoming request like the following, using Advanced Initialization:
```ts
// pages/api/auth/[...nextauth].ts
function normalize(identifier) {
// Get the first two elements only,
// separated by `@` from user input.
let [local, domain] = identifier.toLowerCase().trim().split("@")
// The part before "@" can contain a ","
// but we remove it on the domain part
domain = domain.split(",")[0]
return `${local}@${domain}`
}
export default async function handler(req, res) {
if (req.body.email) req.body.email = normalize(req.body.email)
return await NextAuth(req, res, {/* your options */ })
}
```
### References
- EmailProvider: https://next-auth.js.org/providers/email
- Normalize the email address: https://next-auth.js.org/providers/email#normalizing-the-email-address
- Email syntax: https://en.wikipedia.org/wiki/Email_address#Local-part
- `signIn` callback: https://next-auth.js.org/configuration/callbacks#sign-in-callback
- Advanced Initialization: https://next-auth.js.org/configuration/initialization#advanced-initialization
- `nodemailer` address: https://nodemailer.com/message/addresses
### For more information
If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability
### Timeline
The issue was reported 26th of July, a response was sent out in less than 1 hour and after identifying the issue a patch was published within 5 working days.
### Acknowledgments
We would like to thank [Socket](https://socket.dev) for disclosing this vulnerability in a responsible manner and following up until it got published. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
| reference_url |
https://next-auth.js.org/providers/email |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/ |
|
|
| url |
https://next-auth.js.org/providers/email |
|
| 8 |
|
| 9 |
|
| 10 |
| reference_url |
https://nodemailer.com/message/addresses |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/ |
|
|
| url |
https://nodemailer.com/message/addresses |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-35924, GHSA-xv97-c62v-4587
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-q3v6-17wq-dqf2 |
|
| 3 |
| url |
VCID-qe7h-wtvt-qbeu |
| vulnerability_id |
VCID-qe7h-wtvt-qbeu |
| summary |
next-auth before v4.10.2 and v3.29.9 leaks excessive information into log
### Impact
An information disclosure vulnerability in `next-auth` before `v4.10.2` and `v3.29.9` allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log (which is thrown during OAuth error handling) and use it to leverage further attacks on the system, like impersonating the client to ask for extensive permissions.
### Patches
We patched this vulnerability in `v4.10.2` and `v3.29.9` by moving the log for `provider` information to the debug level. In addition, we added a warning for having the `debug: true` option turned on in production and documented it [here](https://next-auth.js.org/warnings#debug_enabled).
> You have enabled the debug option. It is meant for development only, to help you catch issues in your authentication flow and you should consider removing this option when deploying to production. One way of only allowing debugging while not in production is to set debug: process.env.NODE_ENV !== "production", so you can commit this without needing to change the value.
>
> If you want to log debug messages during production anyway, we recommend setting the [logger option](https://next-auth.js.org/configuration/options#logger) with proper sanitization of potentially sensitive user information.
To upgrade:
```sh
npm i next-auth@latest
# or
yarn add next-auth@latest
# or
pnpm add next-auth@latest
```
(This will update to the latest v4 version, but you can change `latest` to 3 if you want to stay on v3. This is not recommended. v3 is unmaintained.)
### Workarounds
If for some reason you cannot upgrade, you can user the `logger` configuration option by sanitizing the logs:
```ts
// Example
import log from "your-logging-service"
export const authOptions: NextAuthOptions = {
debug: process.env.NODE_ENV !== "production",
logger: {
error: (code, metadata) => {
if (!(metadata instanceof Error) && metadata.provider) {
// redact the provider secret here
delete metadata.provider
log.error(code, metadata)
} else {
log.error(code, metadata)
}
}
},
}
```
### References
Related documentation:
- https://next-auth.js.org/warnings#debug_enabled
- https://next-auth.js.org/configuration/options#logger
- https://next-auth.js.org/getting-started/upgrade-v4
### For more information
If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability
### Timeline
The issue was reported 18th of July, a response was sent out in less than 20 minutes and after identifying the issue a patch was published within a week. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2022-31186, GHSA-p6mm-27gq-9v3p
|
| risk_score |
1.5 |
| exploitability |
0.5 |
| weighted_severity |
3.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qe7h-wtvt-qbeu |
|
| 4 |
| url |
VCID-sgje-afkq-y3fj |
| vulnerability_id |
VCID-sgje-afkq-y3fj |
| summary |
Possible user mocking that bypasses basic authentication
NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-48309, GHSA-v64w-49xw-qq89
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sgje-afkq-y3fj |
|
| 5 |
| url |
VCID-xybf-gshp-nfce |
| vulnerability_id |
VCID-xybf-gshp-nfce |
| summary |
Upstash Adapter missing token verification
### Impact
Applications that use `next-auth` Email Provider and `@next-auth/upstash-redis-adapter` before v3.0.2 are affected.
### Description
The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim's email could easily sign in as the victim, given the attacker also knows about the verification token's expired duration.
### Patches
The vulnerability is patched in v3.0.2.
To upgrade, run one of the following:
```
npm i @next-auth/upstash-redis-adapter@latest
```
```
yarn add @next-auth/upstash-redis-adapter@latest
```
```
pnpm add @next-auth/upstash-redis-adapter@latest
```
### Workarounds
Using Advanced Initialization, developers can check the requests and compare the query's token and identifier before proceeding. Below is an example of how to do this: (Upgrading is still strongly recommended)
```js
import { createHash } from "crypto"
export default async function auth(req, res) {
if (req.method === "POST" && req.action === "callback") {
const token = req.query?.token
const identifier = req.query?.email
function hashToken(token: string) {
const provider = authOptions.providers.find((p) => p.id === "email")
const secret = authOptions.secret
return (
createHash("sha256")
// Prefer provider specific secret, but use default secret if none specified
.update(`${token}${provider.secret ?? secret}`)
.digest("hex")
)
}
const hashedToken = hashToken(token)
const invite = await authOptions.adapter.useVerificationToken?.({
identifier,
token: hashedToken,
})
if (invite.token !== hashedToken) {
res.status(400).json({ error: "Invalid token" })
}
}
return await NextAuth(req, res, authOptions)
}
```
### References
EmailProvider: https://next-auth.js.org/providers/email
Advanced Initialization: https://next-auth.js.org/configuration/initialization#advanced-initialization
Upstash Redis Adapter: https://next-auth.js.org/adapters/upstash-redis
### For more information
If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2022-39263, GHSA-4rxr-27mm-mxq9
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xybf-gshp-nfce |
|
|
|---|