Sandiipmaity

**Name of the Vulnerable Software and Affected Versions** NextAuth.js versions prior to 3.29.8 NextAuth.js versions prior to 4.9.0 **Description** An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. For example, an attacker can send an email with a link to their site, which will be rendered in the HTML. This issue has been remedied in the following releases by not rendering the email in the HTML. The vulnerable `email` parameter is passed to `sendVerificationRequest` and rendered in the HTML. If a custom `sendVerificationRequest` is created, it is necessary to either exclude `email` from the HTML body or efficiently sanitize it. **Recommendations** For NextAuth.js versions prior to 3.29.8, upgrade to version 3.29.8 or later. For NextAuth.js versions prior to 4.9.0, upgrade to version 4.9.0 or later. As a temporary workaround, consider sanitizing the `email` parameter that is passed to `sendVerificationRequest` and rendered in the HTML. If a custom `sendVerificationRequest` is created, make sure to either exclude `email` from the HTML body or efficiently sanitize it.