Search for packages
| purl | pkg:npm/next-auth@4.10.3 |
| Next non-vulnerable version | 4.24.12 |
| Latest non-vulnerable version | 5.0.0-beta.30 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3mbu-vdqr-5yaz
Aliases: CVE-2023-27490 GHSA-7r7x-4c4q-c4qf |
Session Fixation NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to **log in as the victim**, bypassing the CSRF protection. This is due to a partial failure during a compromised OAuth session where a session code is erroneously generated. This issue has been addressed in version 4.20.1. Users are advised to upgrade. Users unable to upgrade may using Advanced Initialization, manually check the callback request for state, pkce, and nonce against the provider configuration to prevent this issue. See the linked GHSA for details. |
Affected by 2 other vulnerabilities. |
|
VCID-899c-99vb-v7bc
Aliases: GHSA-5jpx-9hw9-2fx4 |
NextAuthjs Email misdelivery Vulnerability NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in `nodemailer`'s address parser used by the project (fixed in `nodemailer` **v7.0.7**). A crafted input such as: ``` "e@attacker.com"@victim.com ``` is parsed incorrectly and results in the message being delivered to `e@attacker.com` (attacker) instead of `"<e@attacker.com>@victim.com"` (the intended recipient at `victim.com`) in violation of RFC 5321/5322 semantics. This allows an attacker to receive login/verification links or other sensitive emails intended for the victim. <h2>Affected NextAuthjs Version</h2> ≤ Version | Afftected -- | -- 4.24.11 | Yes 5.0.0-beta.29 | Yes |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-sgje-afkq-y3fj
Aliases: CVE-2023-48309 GHSA-v64w-49xw-qq89 |
Possible user mocking that bypasses basic authentication NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-q3v6-17wq-dqf2 | NextAuth.js before 4.10.3 and 3.29.10 sending verification requests (magic link) to unwanted emails ### Impact `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith("@victim.com")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address. ### Patches We patched this vulnerability in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance) To upgrade, run one of the following: ```sh npm i next-auth@latest ``` ```sh yarn add next-auth@latest ``` ```sh pnpm add next-auth@latest ``` (This will update to the latest v4 version, but you can change `latest` to `3` if you want to stay on v3. This is not recommended. v3 is unmaintained.) ### Workarounds If for some reason you cannot upgrade, you can normalize the incoming request like the following, using Advanced Initialization: ```ts // pages/api/auth/[...nextauth].ts function normalize(identifier) { // Get the first two elements only, // separated by `@` from user input. let [local, domain] = identifier.toLowerCase().trim().split("@") // The part before "@" can contain a "," // but we remove it on the domain part domain = domain.split(",")[0] return `${local}@${domain}` } export default async function handler(req, res) { if (req.body.email) req.body.email = normalize(req.body.email) return await NextAuth(req, res, {/* your options */ }) } ``` ### References - EmailProvider: https://next-auth.js.org/providers/email - Normalize the email address: https://next-auth.js.org/providers/email#normalizing-the-email-address - Email syntax: https://en.wikipedia.org/wiki/Email_address#Local-part - `signIn` callback: https://next-auth.js.org/configuration/callbacks#sign-in-callback - Advanced Initialization: https://next-auth.js.org/configuration/initialization#advanced-initialization - `nodemailer` address: https://nodemailer.com/message/addresses ### For more information If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability ### Timeline The issue was reported 26th of July, a response was sent out in less than 1 hour and after identifying the issue a patch was published within 5 working days. ### Acknowledgments We would like to thank [Socket](https://socket.dev) for disclosing this vulnerability in a responsible manner and following up until it got published. |
CVE-2022-35924
GHSA-xv97-c62v-4587 |