Balazsorban44

**Name of the Vulnerable Software and Affected Versions** NextAuth.js versions prior to 4.10.3 NextAuth.js versions prior to 3.29.10 **Description** The issue allows an attacker to forge a request that sends a comma-separated list of emails to the sign-in endpoint, resulting in emails being sent to both the attacker and the victim's email addresses. The attacker can then login as a newly created user with the email being a combination of the attacker's and victim's email addresses, potentially bypassing basic authorization. This is possible because the `email.endsWith("@victim.com")` check in the `signIn` callback would fail to communicate a threat to the developer. The vulnerability has been patched by normalizing the email value sent to the sign-in endpoint. **Recommendations** For versions prior to 4.10.3, upgrade to version 4.10.3 or later by running `npm i next-auth@latest`, `yarn add next-auth@latest`, or `pnpm add next-auth@latest`. For versions prior to 3.29.10, upgrade to version 3.29.10 or later, or consider staying on the v4 version. If an upgrade is not possible, normalize the incoming request using Advanced Initialization, such as implementing a function to normalize the email identifier, for example: ```ts function normalize(identifier) { let [local, domain] = identifier.toLowerCase().trim().split("@") domain = domain.split(",")[0] return `${local}@${domain}` } ```

**Name of the Vulnerable Software and Affected Versions** next-auth versions prior to v4.10.2 next-auth versions prior to v3.29.9 **Description** An information disclosure issue allows an attacker with log access privilege to obtain excessive information, such as an identity provider's secret in the log, which is thrown during OAuth error handling. This can be used to leverage further attacks on the system, like impersonating the client to ask for extensive permissions. The issue has been patched by moving the log for provider information to the debug level, and a warning has been added for having the debug option turned on in production. **Recommendations** For versions prior to v4.10.2 and v3.29.9, upgrade to v4.10.2 or v3.29.9 to patch the vulnerability. If upgrading is not possible, use the logger configuration option by sanitizing the logs to prevent information disclosure. Consider setting debug: process.env.NODE ENV !== "production" to only allow debugging while not in production. Set the logger option with proper sanitization of potentially sensitive user information if logging debug messages during production is necessary.

**Name of the Vulnerable Software and Affected Versions** NextAuth.js versions prior to 3.29.5 NextAuth.js versions prior to 4.5.0 **Description** An attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the API route handler timing out and logging in to fail. **Recommendations** For NextAuth.js versions prior to 3.29.5, update to version 3.29.5 or later. For NextAuth.js versions prior to 4.5.0, update to version 4.5.0 or later. As a temporary workaround, consider using Advanced Initialization to validate the `callbackUrl` query parameter before passing it to the NextAuth.js API. For example, you can add a validation function to check if the `callbackUrl` is a valid HTTP URL before calling the NextAuth.js API.