CVE-2021-21310

Name of the Vulnerable Software and Affected Versions: NextAuth.js versions prior to 3.3.0

Description: The issue is related to a token verification vulnerability in NextAuth.js, specifically affecting implementations that use the Prisma database adapter in conjunction with the Email provider. The Prisma database adapter was checking the verification token but not verifying the email address associated with that token, allowing an attacker to use a valid token to sign in as another user. This issue is specific to the community-supported Prisma adapter and is not present in the default database adapter.

Recommendations: For versions prior to 3.3.0, update to version 3.3.0 or newer to resolve the issue. As a temporary workaround, consider disabling the Email provider until a patch is available.